Date: Mon, 29 Sep 2003 01:29:20 +0900 (JST) From: IIJIMA Hiromitsu <delmonta@ht.sakura.ne.jp> To: FreeBSD-gnats-submit@FreeBSD.org Subject: bin/57321: CGI.pm in 4.x base system has a cross-site scripting vulneravility Message-ID: <20030928162920.7770EA97F@sodans.usata.org> Resent-Message-ID: <200309281630.h8SGUGLe034956@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 57321 >Category: bin >Synopsis: CGI.pm in 4.x base system has a cross-site scripting vulneravility >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Sep 28 09:30:16 PDT 2003 >Closed-Date: >Last-Modified: >Originator: IIJIMA Hiromitsu >Release: FreeBSD 4.7-RELEASE-p3 i386 >Organization: DENNOU GEDOU GAKKAI, N. D. D. http://www.dennougedougakkai-ndd.org >Environment: System: FreeBSD sodans.usata.org 4.7-RELEASE-p3 FreeBSD 4.7-RELEASE-p3 #0: Wed Jan 22 14:50:19 JST 2003 root@www.my.domain:/usr/src/sys/compile/RENTALv6 i386 Userland is upgraded to -p16, while the kernel is still -p3. >Description: A cross-site scripting vulnerability is reported in CGI.pm. All of the following are affected: - 4.x base system's perl 5.005_03 - ports/japanese/perl5 (5.005_03 with Japanese patch) - ports/lang/perl5 (5.6.1) - ports/lang/perl5.8 (5.8.0) I'll send separate PRs for japanese/perl5 and lang/perl5*. >How-To-Repeat: See the exploit code at: http://marc.theaimsgroup.com/?l=bugtraq&m=105880349328877&w=2 >Fix: Replace CGI.pm with the latest version from CPAN, or install ports/www/p5-CGI.pm. >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030928162920.7770EA97F>