[Xapian-discuss] Cross-site scripting issue in Omega

Olly Betts olly at survex.com
Wed Sep 9 14:25:06 BST 2009


There's a cross-site scripting issue in Omega - exception messages
don't currently get HTML entities escaped, but can contain CGI parameter
values in some cases.

This issue was reported to me through Debian's security team who have
allocated CVE-2009-2947 to it, and have notified other vendors.

If you're not familiar with such vulnerabilities, this one is what is
termed a "Non-persistent" vulnerability here:

http://en.wikipedia.org/wiki/Cross-site_scripting

Because Omega itself doesn't use cookies, the potential impact is low
unless you host Omega on a domain name which runs other web applications
which do have sensitive cookies (or if such cookies are set on the parent
domain), but the fix is extremely unlikely to have side-effects, so I'd
recommend everyone should apply it.

I've attached a patch which which escapes HTML entities in exception
messages which should apply to 1.0.9 and later versions (including all
1.1.x).

1.0.8 and earlier don't catch std::exception but otherwise the same
patch should work, though you should consider upgrading to a more
recent release.

If anyone cares about 0.9.x then the query.h header guard macro name is
different, but otherwise the code is the same as older 1.0.x.

Patched Debian packages should appear shortly, and I intend to release
1.0.16 soon including this fix.

Cheers,
    Olly
-------------- next part --------------
A non-text attachment was scrubbed...
Name: omega-xss-fix-cve-2009-2947.patch
Type: text/x-diff
Size: 1329 bytes
Desc: not available
Url : http://lists.xapian.org/pipermail/xapian-discuss/attachments/20090909/ddd9b51a/attachment.patch 


More information about the Xapian-discuss mailing list