| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 18 Dec 2003 18:13:06 -0500 (EST) From: bugtraq@...ntcorporation.com To: bugtraq@...urityfocus.com Subject: Re: Cross-site scripting vulnerability in SARA v<=4.2.7 On Thu, 18 Dec 2003, toddr arc com wrote: > 1. CSS: Tom indicates that SATAN and older versions of SAINT are not > vulnerable to CSS. Tom is incorrect as all used the SATAN engine > which did not tranlate "<" and ">" to their html codes "<" and > "> I suspect that SAINT has fixed it, SARA has, but SATAN has > not. I disagree. Tom's original posting seems correct. Although SARA, SAINT, and SATAN all use an http engine derived from the same code, this specific vulnerability arises from code introduced in SARA which was not part of SATAN or SAINT (from sara_run_action.pl): $debug="ON" if ! $daemon; $debug="" if $daemon; select CLIENT; This block of code enables debugging whenever a scan runs in non-daemon (standalone) mode and redirects the debugging output to the browser, which, prior to 5.0.0, could include service banners containing script tags. And, in any case, worthwhile security ideas should not be discouraged. If every vulnerability posting were considered a "complaint" by the respective vendor, this list would become a very unfriendly environment for sharing security concerns. -- Sam Kline Chief Development Engineer SAINT Corporation
Powered by blists - more mailing lists