[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] CVE request: XSS in python paste
From: Josh Bressers <bressers () redhat ! com>
Date: 2010-06-30 19:22:23
Message-ID: 2046753133.1643151277925743488.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]
Please use CVE-2010-2477
Thanks.
--
JB
----- "Raphael Geissert" <geissert@debian.org> wrote:
> Hi,
>
> Quoting [1]:
>
> > Paste 1.7.4 is released. The only real change is to
> paste.httpexceptions,
> > which was using insecure quoting of some parameters and allowed an
> XSS
> > hole,
> > most specifically with its 404 messages. The most notably WSGI
> > application
> > using this is paste.urlparse.StaticURLParser and PkgResourcesParser.
> By
> > directing someone to an appropriately formed URL an attacker can
> execute
> > arbitrary Javascript on the victim's client. paste.urlmap.URLMap is
> also
> > affected, but only if you have no application attached to /. Other
>
> > applications using paste.httpexceptions may be effected (especially
>
> > HTTPNotFound). WebOb/webob.exc.HTTPNotFound is not affected.
>
> The commit fixing this bug appears to be:
> http://bitbucket.org/ianb/paste/changeset/fcae59df8b56
> Homepage:
> http://pythonpaste.org/
>
> Could a CVE be assigned?
>
> Thanks in advance.
>
> [1] http://groups.google.com/group/paste-
> users/browse_thread/thread/3b3fff3dadd0b1e5?pli=1
>
> Regards,
> --
> Raphael Geissert - Debian Developer
> www.debian.org - get.debian.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic