blob: 2f9347fb0b631bee6a358b5cda3f2feb2b718cdd [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200502-16">
<title>ht://Dig: Cross-site scripting vulnerability</title>
ht://Dig is vulnerable to cross-site scripting attacks.
<product type="ebuild">htdig</product>
<announced>February 13, 2005</announced>
<revised>February 13, 2005: 01</revised>
<package name="www-misc/htdig" auto="yes" arch="*">
<unaffected range="ge">3.1.6-r7</unaffected>
<vulnerable range="lt">3.1.6-r7</vulnerable>
ht://Dig is an HTTP/HTML indexing and searching system.
Michael Krax discovered that ht://Dig fails to validate the
'config' parameter before displaying an error message containing the
parameter. This flaw could allow an attacker to conduct cross-site
scripting attacks.
<impact type="low">
By sending a carefully crafted message, an attacker can inject and
execute script code in the victim's browser window. This allows to
modify the behaviour of ht://Dig, and/or leak session information such
as cookies to the attacker.
There is no known workaround at this time.
All ht://Dig users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;&gt;=www-misc/htdig-3.1.6-r7&quot;</code>
<uri link="">CAN-2005-0085</uri>
<uri link="">SecurityTracker #1013078</uri>
<metadata tag="requester" timestamp="Sun, 13 Feb 2005 17:17:57 +0000">
<metadata tag="bugReady" timestamp="Sun, 13 Feb 2005 17:19:04 +0000">
<metadata tag="submitter" timestamp="Sun, 13 Feb 2005 20:15:40 +0000">