thr3ads.net - Secure testing team - [Secure-testing-team] Bug#652587: libhtml-template-pro-perl: missing escaping allows XSS [Dec 2011]

If this information is useful, please help other people find it:
Share via:

Twitter
Facebook
Email

Ansgar Burchardt

2011-Dec-18 22:17 UTC

[Secure-testing-team] Bug#652587: libhtml-template-pro-perl: missing escaping allows XSS

Package: libhtml-template-pro-perl
Version: 0.9502-1
Severity: important
Tags: security

The JS escaping in libhtml-template-pro-perl misses to escape "<"
and
">" which allows XSS.  This was fixed in the last upstream release
(0.9507).

An example script that triggers the bug is attached.  With 0.9507 it
outputs

  &lt;evil&gt;

older versions generate

  <evil>

instead.

Ansgar

Secure testing team - Dec 2011 - Bug#652587: libhtml-template-pro-perl: missing escaping allows XSS

[Secure-testing-team] Bug#652587: libhtml-template-pro-perl: missing escaping allows XSS