Date: Wed, 29 Sep 2010 07:40:04 GMT From: Florian Smeets <flo@smeets.im> To: freebsd-ports-bugs@FreeBSD.org Subject: Re: ports/151055: [MAINTAINER] [security] www/phpmyfaq: update to 2.6.9, fix XSS vulnerability Message-ID: <201009290740.o8T7e42m060502@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR ports/151055; it has been noted by GNATS. From: Florian Smeets <flo@smeets.im> To: bug-followup@FreeBSD.org Cc: Subject: Re: ports/151055: [MAINTAINER] [security] www/phpmyfaq: update to 2.6.9, fix XSS vulnerability Date: Wed, 29 Sep 2010 09:36:16 +0200 This is a multi-part message in MIME format. --------------060105080902070007030508 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Here is the vuxml entry. --------------060105080902070007030508 Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0"; name="vuxml.diff" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="vuxml.diff" --- vuln.xml.old 2010-09-29 09:06:01.000000000 +0200 +++ vuln.xml 2010-09-29 09:21:18.000000000 +0200 @@ -34,6 +34,36 @@ --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1"> + <vuln vid="068732bb-cb98-11df-bc93-001c42d23634"> + <topic>phpmyfaq -- XSS vulnerabilities</topic> + <affects> + <package> + <name>phpmyfaq</name> + <range><ge>2.6.0</ge><lt>2.6.9</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml"> + <p>The phpMyFAQ project reports:</p> + <blockquote cite="http://www.phpmyfaq.de/advisory_2010-09-28.php"> + <p>The phpMyFAQ Team has learned of a security issue that has been + discovered in phpMyFAQ 2.6.x</p> + <p>phpMyFAQ doesn't sanitize some variables in different pages + correctly. With a properly crafted URL it is e.g. possible to inject + JavaScript code into the output of a page, which could result in the + leakage of domain cookies (f.e. session identifiers).</p> + </blockquote> + </body> + </description> + <references> + <url>http://www.phpmyfaq.de/advisory_2010-09-28.php</url> + </references> + <dates> + <discovery>2010-09-28</discovery> + <entry>2010-09-29</entry> + </dates> + </vuln> + <vuln vid="80b6d6cc-c970-11df-bb18-0015587e2cc1"> <topic>openx -- remote code execution vulnerability</topic> <affects> --------------060105080902070007030508--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201009290740.o8T7e42m060502>