There's a cross-site scripting issue in Omega - exception messages
don't currently get HTML entities escaped, but can contain CGI parameter
values in some cases.
This issue was reported to me through Debian's security team who have
allocated CVE-2009-2947 to it, and have notified other vendors.
If you're not familiar with such vulnerabilities, this one is what is
termed a "Non-persistent" vulnerability here:
http://en.wikipedia.org/wiki/Cross-site_scripting
Because Omega itself doesn't use cookies, the potential impact is low
unless you host Omega on a domain name which runs other web applications
which do have sensitive cookies (or if such cookies are set on the parent
domain), but the fix is extremely unlikely to have side-effects, so I'd
recommend everyone should apply it.
I've attached a patch which which escapes HTML entities in exception
messages which should apply to 1.0.9 and later versions (including all
1.1.x).
1.0.8 and earlier don't catch std::exception but otherwise the same
patch should work, though you should consider upgrading to a more
recent release.
If anyone cares about 0.9.x then the query.h header guard macro name is
different, but otherwise the code is the same as older 1.0.x.
Patched Debian packages should appear shortly, and I intend to release
1.0.16 soon including this fix.
Cheers,
Olly
-------------- next part --------------
A non-text attachment was scrubbed...
Name: omega-xss-fix-cve-2009-2947.patch
Type: text/x-diff
Size: 1329 bytes
Desc: not available
Url :
http://lists.xapian.org/pipermail/xapian-discuss/attachments/20090909/ddd9b51a/attachment.patch
On Wed, Sep 09, 2009 at 02:25:06PM +0100, Olly Betts wrote:> There's a cross-site scripting issue in Omega - exception messages > don't currently get HTML entities escaped, but can contain CGI parameter > values in some cases.I've created a page to collect links for this - if you have a link to an announcement of fixed packages for a particular platform, please add it here: http://trac.xapian.org/wiki/SecurityFixes/2009-09-09 I've also created an index page, and linked it from the front page of the wiki: http://trac.xapian.org/wiki/SecurityFixes It's not that I expect we'll have many security fixes (the current rate is one per decade!), but I think it's important to make information about them easy to find.> Patched Debian packages should appear shortly, and I intend to release > 1.0.16 soon including this fix.The Debian security team have released my updates for stable and oldstable, and there are fixed packages in unstable, which should migrate to testing tomorrow. I'll upload fixed backports for Ubuntu to the PPA in the next few days. And as you've probably already seen, I released 1.0.16 yesterday. Cheers, Olly