Skip site navigation (1)Skip section navigation (2) 
Date:      Sun,  7 Dec 2008 15:38:00 +0900 (JST)
From:      Ayumi M <ayu@dahlia.commun.jp>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   ports/129475: [vuxml] [MAINTAINER] www/habari: 
Message-ID:  <20081207063800.B653062E3@dahlia.commun.jp>
Resent-Message-ID: <200812070640.mB76e16H038358@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         129475
>Category:       ports
>Synopsis:       [vuxml] [MAINTAINER] www/habari:
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 07 06:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Ayumi M
>Release:        FreeBSD 7.0-RELEASE-p5 i386
>Organization:
>Environment:
System: FreeBSD dahlia.commun.jp 7.0-RELEASE-p5 FreeBSD 7.0-RELEASE-p5 #0: Wed Oct 1 10:10:12 UTC 2008 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
>Description:
VuXML update for CVE-2008-4601

criting from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4601
--
Cross-site scripting (XSS) vulnerability in the login feature in Habari CMS 0.5.1 allows remote attackers to inject arbitrary web script or HTML via the habari_username parameter. 
--
>How-To-Repeat:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4601
http://secunia.com/advisories/32311/
>Fix:

	

--- vuln-5e051e94-c35d-11dd-aff6-001b210f913f.xml begins here ---
<vuln vid="5e051e94-c35d-11dd-aff6-001b210f913f">
  <topic>habari -- Cross-site scripting</topic>
  <affects>
    <package>
      <name>habari</name>
      <range><lt>0.5.2</lt></range>
    </package>
  </affects>
  <description>
    <body xmlns="http://www.w3.org/1999/xhtml">;
      <blockquote cite="http://secunia.com/advisories/32311/">;
        <p>swappie has discovered a vulnerability in Habari, which
        can be exploited by malicious people to conduct cross-site
        scripting attacks.</p>
        <p>Input passed via the "habari_username" parameter when
        logging in is not properly sanitised before being returned
        to the user. This can be exploited to execute arbitrary
        HTML and script code in a user's browser session in context
        of an affected site.</p>
      </blockquote>
    </body>
  </description>
  <references>
    <cvename>CVE-2008-4601</cvename>
    <url>http://secunia.com/advisories/32311/</url>;
    <url>http://www.habariproject.org/en/habari-version-0-5-2</url>;
  </references>
  <dates>
    <discovery>2008-10-15</discovery>
  </dates>
</vuln>
--- vuln-5e051e94-c35d-11dd-aff6-001b210f913f.xml ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081207063800.B653062E3>