[BackupPC-users] Status of CVE-2011-5081 (Cross-site scripting vulnerability)
2012-05-28 15:25:40
Several distros (e.g. Ubuntu) have recently dealt with the problem
mentioned in the subject line by adding a patch in the module
lib/BackupPC/CGI/RestoreFile.pm.
A bug requesting this security issue to be fixed has now also been filed
in Mageia. Trying to follow up this bug, I realised that
- according to the references quoted for CVE-2011-5081, the bug is
"fixed by vendor" (the cve notice dates from april 2011)
- trying the commands proposed as PoC on my (un-patched) backuppc 3.2.1
installation, there was no apparent problem.
Am I right assuming that the patch in RestoreFile.pm is not needed (and
that backuppc developpers have solved the problem by a modification
different from that proposed in the RestoreFile.pm patch)?
I would very much appreciate to receive confirmation in order to be able
to close the bug as resolved by "upstream"
(PS: I also tried applying the patch proposed for RestoreFile.pm and did
not see any difference in the response to the PoC commands)
Juergen
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
BackupPC-users mailing list
BackupPC-users AT lists.sourceforge DOT net
List: https://lists.sourceforge.net/lists/listinfo/backuppc-users
Wiki: http://backuppc.wiki.sourceforge.net
Project: http://backuppc.sourceforge.net/
|
<Prev in Thread] |
Current Thread |
[Next in Thread> |
- [BackupPC-users] Status of CVE-2011-5081 (Cross-site scripting vulnerability),
Juergen Harms <=
|
|
|