struts-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Niall Pemberton (JIRA)" <j...@apache.org>
Subject [jira] Commented: (STR-3191) Sufficently filter HTML tag attribute names and values
Date Wed, 23 Sep 2009 13:58:48 GMT

    [ https://issues.apache.org/struts/browse/STR-3191?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=46829#action_46829
] 

Niall Pemberton commented on STR-3191:
--------------------------------------

ASF Security don't evaluate vulnerabilities, they just act as a central point of contact,
passing on to the appropriate PMC to evaluate. If the example provided so far is all that
this vulnerability amounts to then my recommendation would be to reverse the patch.

Is Vincent Danen our official contact for this issue? If not then perhaps we should respond
to the original email that came to the PMC list indicating that we don't believe this is a
Struts issue and asking if there are any other examples.


> Sufficently filter HTML tag attribute names and values
> ------------------------------------------------------
>
>                 Key: STR-3191
>                 URL: https://issues.apache.org/struts/browse/STR-3191
>             Project: Struts 1
>          Issue Type: Bug
>          Components: Tag Libraries
>    Affects Versions: 1.2.9, 1.3.10
>            Reporter: Paul Benedict
>            Assignee: Paul Benedict
>            Priority: Blocker
>             Fix For: 1.3.11, 1.4.0
>
>         Attachments: STR-3191-patch.txt
>
>
> Allows remote attackers to inject arbitrary web script or HTML via unspecified vectors
related to insufficient quoting of parameters. 
> * https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2025
> * http://support.novell.com/security/cve/CVE-2008-2025.html

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message