Bug#311838: marked as done (XSS problems, unescaped input/output, etc..)

To: Noèl Köthe <noel@debian.org>
Subject: Bug#311838: marked as done (XSS problems, unescaped input/output, etc..)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Sun, 24 Sep 2006 05:19:23 -0700
Message-id: <[🔎] handler.311838.D311838.115909929920090.ackdone@bugs.debian.org>
References: <1159099293.3714.5.camel@localhost> <E1DeFVR-0000t8-02@polaris.galacticasoftware.com>

Your message dated Sun, 24 Sep 2006 14:01:33 +0200
with message-id <1159099293.3714.5.camel@localhost>
and subject line [Fwd: Bug#368099 closed by Debian Archive Maintenance <ftpmaster@ftp-master.debian.org> (Bug#368099: fixed)]
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: XSS problems, unescaped input/output, etc..
From: Adam Majer <adamm@zombino.com>
Date: Fri, 03 Jun 2005 11:58:48 -0500
Message-id: <E1DeFVR-0000t8-02@polaris.galacticasoftware.com>

Package: websieve
Version: 0.62-1
Severity: grave
Tags: security

There is a XSS hole in the websieve user interface. For example, you may add a rule like,

'from' contains: <a href='debian.org'>Click me

and the HTML contains 

<b>From</b>' contains '<b><a href='debian.org'>Click me</a></b>'


Also, there seems to be unescaped stuff in the script making things much, much worse.
Using double quotes will break things. Setting up a rule such that,

'from' contains: </b>"blah"

yields,

Updatesieve Error: Cant' update script...
Returned Error: Putting script: script errors: line 73: syntax error, unexpected $undefined, expecting ')'
You can click on your browser's Back button to go back and try your entry again.


Looking at the source code, there seems to be A LOT of unescaped stuff. This problem is very annoying 
to me, but for others running websieve on an ISP level, this is a grave security problem.

- Adam


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages websieve depends on:
ii  libcyrus-imap-perl21          2.1.18-1   Interface to Cyrus imap client imc
ii  perl                          5.8.4-8    Larry Wall's Practical Extraction 

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 311838-done@bugs.debian.org
Cc: 265695-done@bugs.debian.org, 276021-done@bugs.debian.org, 358464-done@bugs.debian.org, 368105-done@bugs.debian.org, 303315-done@bugs.debian.org
Subject: [Fwd: Bug#368099 closed by Debian Archive Maintenance <ftpmaster@ftp-master.debian.org> (Bug#368099: fixed)]
From: Noèl Köthe <noel@debian.org>
Date: Sun, 24 Sep 2006 14:01:33 +0200
Message-id: <1159099293.3714.5.camel@localhost>

Hello,

closing bugs, because package is removed.


> > We believe that the bug you reported is now fixed; the following
> > package(s) have been removed from unstable:
> > 
> >   websieve |     0.62-2 | source, all
> > 
> > Note that the package(s) have simply been removed from the tag
> > database and may (or may not) still be in the pool; this is not a bug.
> > The package(s) will be physically removed automatically when no suite
> > references them (and in the case of source, when no binary references
> > it).  Please also remember that the changes have been done on the
> > master archive (ftp-master.debian.org) and will not propagate to any
> > mirrors (ftp.debian.org included) until the next cron.daily run at the
> > earliest.
> > 
> > Packages are never removed from testing by hand.  Testing tracks
> > unstable and will automatically remove packages which were removed
> > from unstable when removing them from testing causes no dependency
> > problems.
> > 
> > Bugs which have been reported against this package are not automatically
> > removed from the Bug Tracking System.  Please check all open bugs and
> > close them or re-assign them to another package if the removed package
> > was superseded by another one.
> > 
> > Thank you for reporting the bug, which will now be closed.  If you
> > have further comments please address them to 368099@bugs.debian.org.
> > 
> > This message was generated automatically; if you believe that there is
> > a problem with it please contact the archive administrators by mailing
> > ftpmaster@debian.org.
> > 
> > Debian distribution maintenance software
> > pp.
> > Jeroen van Wolffelaar (the ftpmaster behind the curtain)


-- 
Noèl Köthe <noel debian.org>
Debian GNU/Linux, www.debian.org

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil

--- End Message ---

Reply to:

Prev by Date: Bug#358464: marked as done (websieve: incorect script generation for "file into" shared folders)
Next by Date: Bug#303315: marked as done (websieve: Please allow alternative usage of libcyrus-imap-perl21 or libcyrus-imap-perl22)
Previous by thread: Bug#358464: marked as done (websieve: incorect script generation for "file into" shared folders)
Next by thread: Bug#303315: marked as done (websieve: Please allow alternative usage of libcyrus-imap-perl21 or libcyrus-imap-perl22)
Index(es):
- Date
- Thread