bin/57323: CGI.pm in ports/lang/perl5* have a cross-site scripting
vulneravility
IIJIMA Hiromitsu
delmonta at ht.sakura.ne.jp
Sun Sep 28 09:50:06 PDT 2003
>Number: 57323
>Category: bin
>Synopsis: CGI.pm in ports/lang/perl5* have a cross-site scripting vulneravility
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Sep 28 09:50:03 PDT 2003
>Closed-Date:
>Last-Modified:
>Originator: IIJIMA Hiromitsu
>Release: FreeBSD 4.7-RELEASE-p3 i386
>Organization:
DENNOU GEDOU GAKKAI, N. D. D. http://www.dennougedougakkai-ndd.org
>Environment:
System: FreeBSD sodans.usata.org 4.7-RELEASE-p3 FreeBSD 4.7-RELEASE-p3 #0: Wed Jan 22 14:50:19 JST 2003 root at www.my.domain:/usr/src/sys/compile/RENTALv6 i386
Userland is upgraded to -p16, while the kernel is still -p3.
>Description:
A cross-site scripting vulnerability is reported in CGI.pm.
All of the following are affected:
- 4.x base system's perl 5.005_03
- ports/japanese/perl5 (5.005_03 with Japanese patch)
- ports/lang/perl5 (5.6.1)
- ports/lang/perl5.8 (5.8.0)
I have sent separate PRs for 4.x base system and japanese/perl5.
>How-To-Repeat:
See the exploit code at:
http://marc.theaimsgroup.com/?l=bugtraq&m=105880349328877&w=2
>Fix:
Replace CGI.pm with a newer one, or force all users to install
ports/www/p5-CGI.pm.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list