[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE request: XSS in python paste
From:       Josh Bressers <bressers () redhat ! com>
Date:       2010-06-30 19:22:23
Message-ID: 2046753133.1643151277925743488.JavaMail.root () zmail01 ! collab ! prod ! int ! phx2 ! redhat ! com
[Download RAW message or body]

Please use CVE-2010-2477

Thanks.

-- 
    JB


----- "Raphael Geissert" <geissert@debian.org> wrote:

> Hi,
> 
> Quoting [1]:
> 
> > Paste 1.7.4 is released.  The only real change is to
> paste.httpexceptions, 
> > which was using insecure quoting of some parameters and allowed an
> XSS 
> > hole, 
> > most specifically with its 404 messages.  The most notably WSGI 
> > application 
> > using this is paste.urlparse.StaticURLParser and PkgResourcesParser.
>  By 
> > directing someone to an appropriately formed URL an attacker can
> execute 
> > arbitrary Javascript on the victim's client.  paste.urlmap.URLMap is
> also 
> > affected, but only if you have no application attached to /.  Other
> 
> > applications using paste.httpexceptions may be effected (especially
> 
> > HTTPNotFound).  WebOb/webob.exc.HTTPNotFound is not affected. 
> 
> The commit fixing this bug appears to be:
> http://bitbucket.org/ianb/paste/changeset/fcae59df8b56
> Homepage:
> http://pythonpaste.org/
> 
> Could a CVE be assigned?
> 
> Thanks in advance.
> 
> [1] http://groups.google.com/group/paste-
> users/browse_thread/thread/3b3fff3dadd0b1e5?pli=1
> 
> Regards,
> -- 
> Raphael Geissert - Debian Developer
> www.debian.org - get.debian.net
[prev in list] [next in list] [prev in thread] [next in thread]