#154 Cross-Site Scripting bugs in LXR

v0.9.6
closed-accepted
Malcolm Box
Browsing (93)
5
2010-01-05
2010-01-05
Dan Rosenberg
No

Apologies if you've received duplicate e-mail from me, but I haven't
received any response from the LXR SourceForge e-mail addresses.

There are several cross-site scripting vulnerabilities in LXR. These
vulnerabilities could allow an attacker to execute scripts in a user's
browser, steal cookies associated with vulnerable domains,
redirect the user to malicious websites, etc. A proof-of-concept
URL may look like:

http://www.example.com/lxr/ident?i=<script>alert\('XSS')</script>

I have confirmed these vulnerabilities in LXR 0.9.6 and 0.9.5. The
experimental LXR installation in use at lxr.linux.no is also vulnerable
with certain settings.

This issue has been assigned CVE-2009-4497. I have written a patch
for this issue, and I'd be happy to work with you to resolve the problem.
Please reply to discuss fixing and publishing this bug.

Thanks,
Dan Rosenberg

Discussion

  • Thank you for your report. (This is the first I've seen of it -- what addresses did you try earlier?) I'm honestly not sure what the maintenance status of the SF-hosted LXR code base is these days -- perhaps some of the other developers would like to speak up? I have not myself touched this code for some time.

    Regarding the lxr.linux.no code base, I'd be more than happy to attend to any issues you have found. You can reach me directly on arne@gledits.ch if you wish.

     
  • Malcolm Box
    Malcolm Box
    2010-01-05

    This has now been fixed in the SF LXR codebase.

    As for the maintenance status is I think the most accurate answer is "patchy", as in I'd be very happy to find someone else to take over...

     
  • Malcolm Box
    Malcolm Box
    2010-01-05

    • labels: --> Browsing
    • assigned_to: nobody --> mbox
    • status: open --> closed-accepted
     
  • Malcolm Box
    Malcolm Box
    2010-01-05

    Fixed in release 0.9.7

     
  • Malcolm Box
    Malcolm Box
    2010-01-05

    Fixed in release 0.9.7