Date: Sat, 12 Dec 2009 12:02:43 +0100 From: Martin Wilke <miwi@FreeBSD.org> To: Wen Heping <wen@FreeBSD.org> Cc: cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org, ports-committers@FreeBSD.org Subject: Re: cvs commit: ports/security/vuxml vuln.xml Message-ID: <20091212110243.GB93166@bsdcrew.de> In-Reply-To: <200912121058.nBCAwx7F068788@repoman.freebsd.org> References: <200912121058.nBCAwx7F068788@repoman.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This entry is wrong, >>> Validating... /usr/local/bin/xmllint --valid --noout /usr/home/miwi/dev/ports/security/vu= xml/vuln.xml /usr/home/miwi/dev/ports/security/vuxml/vuln.xml:51435: parser error : Prem= ature end of data in tag vuxml line 37 ^ >>> FAILED. *** Error code 1 Please ask for review in next time. - - Martin On Sat, Dec 12, 2009 at 10:58:59AM +0000, Wen Heping wrote: > wen 2009-12-12 10:58:59 UTC >=20 > FreeBSD ports repository >=20 > Modified files: > security/vuxml vuln.xml=20 > Log: > - Document pligg -- Cross-Site Scripting and Cross-Site Request Forgery > =20 > Revision Changes Path > 1.2083 +41 -1 ports/security/vuxml/vuln.xml > http://cvsweb.FreeBSD.org/ports/security/vuxml/vuln.xml.diff?r1=3D1.2082&= r2=3D1.2083 > | --- ports/security/vuxml/vuln.xml 2009/12/11 15:27:17 1.2082 > | +++ ports/security/vuxml/vuln.xml 2009/12/12 10:58:58 1.2083 > | @@ -28,13 +28,53 @@ WHETHER IN CONTRACT, STRICT LIABILITY, O > | OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, > | EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > | =20 > | - $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/security/vuxml/vuln.x= ml,v 1.2082 2009/12/11 15:27:17 miwi Exp $ > | + $FreeBSD: /usr/local/www/cvsroot/FreeBSD/ports/security/vuxml/vuln.x= ml,v 1.2083 2009/12/12 10:58:58 wen Exp $ > | =20 > | Note: Please add new entries to the beginning of this file. > | =20 > | --> > | =20 > | <vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">; > | + <vuln vid=3D"bec38383-e6cb-11de-bdd4-000c2930e89b"> > | + <topic>pligg -- Cross-Site Scripting and Cross-Site Request Forger= y</topic> > | + <affects> > | + <package> > | + <name>pligg</name> > | + <range><lt>1.0.3b</lt></range> > | + </package> > | + </affects> > | + <description> > | + <body xmlns=3D"http://www.w3.org/1999/xhtml">; > | + <p>secunia reports:</p> > | + <blockquote cite=3D"http://secunia.com/advisories/37349">; > | + <p>Russ McRee has discovered some vulnerabilities in Pligg, = which can > | + be exploited by malicious people to conduct cross-site scr= ipting and > | + request forgery attacks.</p> > | + <p>Input passed via the "Referer" HTTP header to various scr= ipts (e.g. > | + admin/admin_config.php, admin/admin_modules.php, delete.ph= p, editlink.php, > | + submit.php, submit_groups.php, user_add_remove_links.php, = and > | + user_settings.php) is not properly sanitised before being = returned to > | + the user. This can be exploited to execute arbitrary HTML = and script > | + code in a user's browser session in context of an affected= site.</p> > | + <p>The application allows users to perform certain actions v= ia HTTP > | + requests without performing any validity checks to verify = the requests. > | + This can be exploited to e.g. create an arbitrary user wit= h administrative > | + privileges if a logged-in administrative user visits a mal= icious web > | + site.</p> > | + </blockquote> > | + </body> > | + </description> > | + <references> > | + <url>http://secunia.com/advisories/37349/</url>; > | + <url>http://www.pligg.com/blog/775/pligg-cms-1-0-3-release/</url>; > | + </references> > | + <dates> > | + <discovery>2009-12-02</discovery> > | + <entry>2009-12-12</entry> > | + </dates> > | + </vuln> > | + > | +<vuxml xmlns=3D"http://www.vuxml.org/apps/vuxml-1">; > | <vuln vid=3D"fcbf56dd-e667-11de-920a-00248c9b4be7"> > | <topic>piwik -- php code execution</topic> > | <affects> >=20 - --=20 +-----------------------+-------------------------------+ | PGP : 0xB1E6FCE9 | Jabber : miwi(at)BSDCrew.de | | Skype : splash_111 | Mail : miwi(at)FreeBSD.org | +-----------------------+-------------------------------+ | Mess with the Best, Die like the Rest! | +-----------------------+-------------------------------+ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAksjeFIACgkQdLJIhLHm/OmenwCglMgug515F5bSMgia4Z0swuQp Y4IAn3zIIu3xOxFMr/TLAkU5Ul7TqlXp =3DPek7 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20091212110243.GB93166>