OpenPKG Corporation → Security → Security Advisories

OpenPKG Security Advisory

OpenPKG-SA-2003.036

Publisher Name:          OpenPKG GmbH
Publisher Home:          http://openpkg.com/

Advisory Id (public):    OpenPKG-SA-2003.036
Advisory Type:           OpenPKG Security Advisory (SA)
Advisory Directory:      http://openpkg.com/go/OpenPKG-SA
Advisory Document:       http://openpkg.com/go/OpenPKG-SA-2003.036
Advisory Published:      2010-03-16 22:49 UTC

Issue Id (internal):     OpenPKG-SI-20030806.02
Issue First Created:     2003-08-06
Issue Last Modified:     2006-11-28
Issue Revision:          05


Subject Name:            Perl CGI.pm
Subject Summary:         Perl Module for WWW client and server behavior
Subject Home:            http://www.cpan.org/
Subject Versions:        * <= 20030726

Vulnerability Id:        CVE-2003-0615
Vulnerability Scope:     global (not OpenPKG specific)

Attack Feasibility:      run-time
Attack Vector:           remote network
Attack Impact:           identity fraud

Description:
    According to a security advisory [0] from obscure@eyeonsecurity.org a
    cross site scripting vulnerability exists in the start_form() function
    from CGI.pm [1].
    
    Note that beginning with perl-www-20030609-20030609 and
    perl-www-1.3.0-1.3.0 a preliminary vendor patch was already included
    which fixes the specific issue discussed in the original advisory. Our
    corrected packages now include the more generalized patch the author
    uses in his latest version.

References:
    [0] http://eyeonsecurity.org/advisories/CGI.pm/adv.html
    [1] http://stein.cshl.org/WWW/software/CGI/
    [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0615
    [3] http://www.openpkg.org/tutorial.html#regular-source
    [4] http://www.openpkg.org/tutorial.html#regular-binary
    [5] ftp://ftp.openpkg.org/release/1.2/UPD/perl-www-1.2.1-1.2.1.src.rpm
    [6] ftp://ftp.openpkg.org/release/1.3/UPD/perl-www-1.3.1-1.3.1.src.rpm
    [7] ftp://ftp.openpkg.org/release/1.2/UPD/
    [8] ftp://ftp.openpkg.org/release/1.3/UPD/
    [9] http://www.openpkg.org/security.html#signature


Primary Package Name:    perl-www
Primary Package Home:    http://openpkg.org/go/package/perl-www

Affected Distribution:   Affected Branch:  Affected Package:
OpenPKG Community        1.2-SOLID         perl-www-1.2.0-1.2.0
OpenPKG Community        1.3-SOLID         perl-www-1.3.0-1.3.0
OpenPKG Community        CURRENT           perl-www-20030726-20030726

Corrected Distribution:  Corrected Branch: Corrected Package:
OpenPKG Community        1.2-SOLID         perl-www-1.2.1-1.2.1
OpenPKG Community        1.3-SOLID         perl-www-1.3.1-1.3.1
OpenPKG Community        CURRENT           perl-www-20030802-20030802

→ Plain Text Version

Latest Advisories:
2007.023 perl
2007.022 bind
2007.021 wordpress
2007.020 php
2007.019 php
2007.018 freetype
2007.017 ratbox
2007.016 gd
2007.015 quagga
2007.014 bind
→ more...

Validation: XHTML | CSS

Organisations
Products
- OpenPKG Community
- Features
- Technology Pitch
- Package Database
- Registration
  - Registration Overview
  - Registry Service
- Download
  - Download Policy
  - Download Service
- Sales
  - Request
Services
Security
Documentation
- Flyer
- Presentation
- Showcase
- Article
- Thesis
- Tutorial
- Packaging
- F.A.Q
Community
My OpenPKG