Debian: perl CGI.pm XSS vulnerability

    Date11 Aug 2003
    CategoryDebian
    3004
    Posted ByLinuxSecurity Advisories
    A cross-site scripting vulnerability exists in the start_form()function in CGI.pm.
    
    - --------------------------------------------------------------------------
    Debian Security Advisory DSA 371-1                     This email address is being protected from spambots. You need JavaScript enabled to view it.
    	 
    http://www.debian.org/security/                             Matt Zimmerman
    August 11th, 2003                        http://www.debian.org/security/faq
    - --------------------------------------------------------------------------
    
    Package        : perl
    Vulnerability  : cross-site scripting
    Problem-Type   : remote
    Debian-specific: no
    CVE Ids        : CAN-2003-0615
    
    A cross-site scripting vulnerability exists in the start_form()
    function in CGI.pm.  This function outputs user-controlled data into
    the action attribute of a form element without sanitizing it, allowing
    a remote user to execute arbitrary web script within the context of
    the generated page.  Any program which uses this function in the
    CGI.pm module may be affected.
    
    For the current stable distribution (woody) this problem has been fixed
    in version 5.6.1-8.3.
    
    For the unstable distribution (sid) this problem has been fixed in
    version 5.8.0-19.
    
    We recommend that you update your perl package.
    
    Upgrade Instructions
    - --------------------
    
    wget url
            will fetch the file for you
    dpkg -i file.deb
            will install the referenced file.
    
    If you are using the apt-get package manager, use the line for
    sources.list as given below:
    
    apt-get update
            will update the internal database
    apt-get upgrade
            will install corrected packages
    
    You may use an automated update by adding the resources from the
    footer to the proper configuration.
    
    Debian GNU/Linux 3.0 alias woody
    - --------------------------------
    
      Source archives:
    
         http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.3.dsc
          Size/MD5 checksum:      687 ce62ebefcb7cb3a7ceda7e7b4f198d8a
         http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.3.diff.gz
          Size/MD5 checksum:   137514 b69f430dc0fbd8f3a53cb7b596a18130
         http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1.orig.tar.gz
          Size/MD5 checksum:  5983695 ec1ff15464809b562aecfaa2e65edba6
    
      Architecture independent components:
    
         http://security.debian.org/pool/updates/main/p/perl/libcgi-fast-perl_5.6.1-8.3_all.deb
          Size/MD5 checksum:    30800 6627512aed16eb2e4848e7c85f232bef
         http://security.debian.org/pool/updates/main/p/perl/perl-doc_5.6.1-8.3_all.deb
          Size/MD5 checksum:  3885796 c32102529c71dcb3c849f53f207401c3
         http://security.debian.org/pool/updates/main/p/perl/perl-modules_5.6.1-8.3_all.deb
          Size/MD5 checksum:  1278610 690c5e4eed9384326c17f1fe2a8d4fb7
    
      Alpha architecture:
    
         http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.3_alpha.deb
          Size/MD5 checksum:   619214 9f10a38c97f335255d04b2011a9b2497
         http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.3_alpha.deb
          Size/MD5 checksum:   435158 b1948afd1ff9e8e7d212173dfce5da55
         http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.3_alpha.deb
          Size/MD5 checksum:  1217562 0267549b6b2ba965048a8809e91ea7e8
         http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.3_alpha.deb
          Size/MD5 checksum:   208506 b4d671fd7697ae48ea20d812aa606036
         http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.3_alpha.deb
          Size/MD5 checksum:  2827160 6d6d6d0878aa79f7e0b498ec98ddfd0d
         http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.3_alpha.deb
          Size/MD5 checksum:    34880 82d93b8edbf39e2c44012c49a2c67796
    
      ARM architecture:
    
         http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.3_arm.deb
          Size/MD5 checksum:   516198 90fc7a31894b3b8263b3279b2002c69c
         http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.3_arm.deb
          Size/MD5 checksum:   362632 08fe841ab87b044fdcabf3ab035aff74
         http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.3_arm.deb
          Size/MD5 checksum:  1164134 0f36c636ff39e3338dec7c8d92d01642
         http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.3_arm.deb
          Size/MD5 checksum:   544758 7f547fee152404d3902cb1c88c6b1d42
         http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.3_arm.deb
          Size/MD5 checksum:  2306914 1d4b7a0a6bae4bf17e0277db0f93584a
         http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.3_arm.deb
          Size/MD5 checksum:    29396 f3f4b55c8d10104ca368cb5c85182174
    
      Intel IA-32 architecture:
    
         http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.3_i386.deb
          Size/MD5 checksum:   424710 0b3820f00a89c714a590c62313b29440
         http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.3_i386.deb
          Size/MD5 checksum:   374154 fe75d3617bf736ec1df5ecf720a7c5e7
         http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.3_i386.deb
          Size/MD5 checksum:  1170690 adb3586cc8070b6133d4e9487b187458
         http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.3_i386.deb
          Size/MD5 checksum:   529218 4c060ad1724ba91d339f7fda5a6ae1f6
         http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.3_i386.deb
          Size/MD5 checksum:  2119560 70a1dd6e8b99070b4819ac3e76213540
         http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.3_i386.deb
          Size/MD5 checksum:    34808 d8e6fd341884eca20accc028e63da9fb
    
      Intel IA-64 architecture:
    
         http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.3_ia64.deb
          Size/MD5 checksum:   703464 a65213bd87a5a72e8a598278894277e6
         http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.3_ia64.deb
          Size/MD5 checksum:   598576 a3fba3c40e4be8410d7c99fc2d223d18
         http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.3_ia64.deb
          Size/MD5 checksum:  1266282 aa33b836adeebe93e19f975342ec96c5
         http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.3_ia64.deb
          Size/MD5 checksum:   226208 78105a48118c49b10224b33a8b96f921
         http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.3_ia64.deb
          Size/MD5 checksum:  3312380 5cde519642b5be4f2cd37a60df08b14b
         http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.3_ia64.deb
          Size/MD5 checksum:    45350 6bc4e7f9b5c1f19b36577159e85c413d
    
      HP Precision architecture:
    
         http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.3_hppa.deb
          Size/MD5 checksum:   622784 9298ec9b4b752ffcef0605a067ab0f18
         http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.3_hppa.deb
          Size/MD5 checksum:   473316 f6c18c7e8dfdffd477576aac21607669
         http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.3_hppa.deb
          Size/MD5 checksum:  1211402 9cf48d63b80e40eeb581f6bc9e9e947f
         http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.3_hppa.deb
          Size/MD5 checksum:   208396 cb9d7b8c6a6375df2a9113d27e4fc212
         http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.3_hppa.deb
          Size/MD5 checksum:  2288092 9e7f6df4dd4c80f20a1c363c4ea22f0e
         http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.3_hppa.deb
          Size/MD5 checksum:    34078 b340e91bf9bb1d8ed66bc7460c07431d
    
      Motorola 680x0 architecture:
    
         http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.3_m68k.deb
          Size/MD5 checksum:   399412 144771a003d242d0fb095492a532f63b
         http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.3_m68k.deb
          Size/MD5 checksum:   331894 2bb4e99cc8be1d62233306fc742a2a33
         http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.3_m68k.deb
          Size/MD5 checksum:  1149294 3652a4ed0685d86ab5df14a176efc524
         http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.3_m68k.deb
          Size/MD5 checksum:   192160 c5f64c0ad60c9e98fdeeb8853b8b15d3
         http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.3_m68k.deb
          Size/MD5 checksum:  2132018 e1fe7ab1dc63c3a14c648cfd07408031
         http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.3_m68k.deb
          Size/MD5 checksum:    27760 cdfcb42c4eca07191e3c8c9a4eb1889d
    
      Big endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.3_mips.deb
          Size/MD5 checksum:   522382 66d1a98cc1f70ef3a3d5cb49d7729d85
         http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.3_mips.deb
          Size/MD5 checksum:   364584 57a504230c2e6ef77fbefce8c8ddc1b9
         http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.3_mips.deb
          Size/MD5 checksum:  1158972 0791ffefb7be3146d4fcccf10d014cbf
         http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.3_mips.deb
          Size/MD5 checksum:   185706 8fd1f429c6df8049ed48697083ad3632
         http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.3_mips.deb
          Size/MD5 checksum:  2408580 ee25dc3b3a8e1613268117cd67cf8cf9
         http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.3_mips.deb
          Size/MD5 checksum:    29068 a64ccdfde3898458998eb37795f74b53
    
      Little endian MIPS architecture:
    
         http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.3_mipsel.deb
          Size/MD5 checksum:   516052 cb7767f8c91493224add44275f88ca5a
         http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.3_mipsel.deb
          Size/MD5 checksum:   361164 30ce85f4f26272b7f316ab3714713395
         http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.3_mipsel.deb
          Size/MD5 checksum:  1160190 a137b511853065510e9bc7a01895471b
         http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.3_mipsel.deb
          Size/MD5 checksum:   185216 6e3f2b84c54bc0fe8a5798134c7637b6
         http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.3_mipsel.deb
          Size/MD5 checksum:  2265644 6830ad3fbdc3d9ea3e1473ef4b6f682e
         http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.3_mipsel.deb
          Size/MD5 checksum:    28666 cc01f392ea36e3e67c1f74069a9f4c09
    
      PowerPC architecture:
    
         http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.3_powerpc.deb
          Size/MD5 checksum:   567158 d0c55107ca407ff5b62c330ad0ed0e8f
         http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.3_powerpc.deb
          Size/MD5 checksum:   400552 6305cd9e018f7d605a467bfa50c61489
         http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.3_powerpc.deb
          Size/MD5 checksum:  1183276 6ce93b50b61d51ebf28e9ae95f1ce6da
         http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.3_powerpc.deb
          Size/MD5 checksum:   202150 444051c60e1bf08c185eb0bda19b2c05
         http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.3_powerpc.deb
          Size/MD5 checksum:  2300354 80a18c49969f7dcba3f34fc9e4d76ccb
         http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.3_powerpc.deb
          Size/MD5 checksum:    30758 c6823a86b609a048fc6624b82ed8ff63
    
      IBM S/390 architecture:
    
         http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.3_s390.deb
          Size/MD5 checksum:   456042 83eb3f57c82d034f55d2ba89fb326889
         http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.3_s390.deb
          Size/MD5 checksum:   404842 fbca15e5c3a042fa02b83cff1d673b9c
         http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.3_s390.deb
          Size/MD5 checksum:  1167866 9768324a8f3995ec5c850700a6ed7919
         http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.3_s390.deb
          Size/MD5 checksum:   191120 3234034cb57a92b7c4a9cf388adf1537
         http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.3_s390.deb
          Size/MD5 checksum:  2210470 79e76c2967c8d54911281be4c6096cda
         http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.3_s390.deb
          Size/MD5 checksum:    32860 3e04300fba92b00a6a3a864c12f5a390
    
      Sun Sparc architecture:
    
         http://security.debian.org/pool/updates/main/p/perl/libperl-dev_5.6.1-8.3_sparc.deb
          Size/MD5 checksum:   528758 244d78b4327fc0a5026502f76f3081b9
         http://security.debian.org/pool/updates/main/p/perl/libperl5.6_5.6.1-8.3_sparc.deb
          Size/MD5 checksum:   403188 e3dd30bc5cd00927cdc344d0712c223f
         http://security.debian.org/pool/updates/main/p/perl/perl_5.6.1-8.3_sparc.deb
          Size/MD5 checksum:  1191738 f2a8c2007489e44ad4a4ae0a70ae82f7
         http://security.debian.org/pool/updates/main/p/perl/perl-base_5.6.1-8.3_sparc.deb
          Size/MD5 checksum:   210994 af02b8fb62440c98936cd40f90134098
         http://security.debian.org/pool/updates/main/p/perl/perl-debug_5.6.1-8.3_sparc.deb
          Size/MD5 checksum:  2284860 aa4231641c35dba1cefff0d524d890a0
         http://security.debian.org/pool/updates/main/p/perl/perl-suid_5.6.1-8.3_sparc.deb
          Size/MD5 checksum:    31024 4b9d945a00139a14980072769c87885d
    
      These files will probably be moved into the stable distribution on
      its next revision.
    
    - ---------------------------------------------------------------------------------
    For apt-get: deb  http://security.debian.org/ stable/updates main
    For dpkg-ftp:  ftp://security.debian.org/debian-security dists/stable/updates/main
    Mailing list: This email address is being protected from spambots. You need JavaScript enabled to view it.
    Package info: `apt-cache show ' and  http://packages.debian.org/
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"37","type":"x","order":"1","pct":51.39,"resources":[]},{"id":"88","title":"Should be more technical","votes":"10","type":"x","order":"2","pct":13.89,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"25","type":"x","order":"3","pct":34.72,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.