ports/151055: [MAINTAINER] [security] www/phpmyfaq: update to 2.6.9, fix XSS vulnerability

Florian Smeets flo at smeets.im
Wed Sep 29 07:40:05 UTC 2010 

The following reply was made to PR ports/151055; it has been noted by GNATS.

From: Florian Smeets <flo at smeets.im>
To: bug-followup at FreeBSD.org
Cc:  
Subject: Re: ports/151055: [MAINTAINER] [security] www/phpmyfaq: update to
 2.6.9, fix XSS vulnerability
Date: Wed, 29 Sep 2010 09:36:16 +0200

 This is a multi-part message in MIME format.
 --------------060105080902070007030508
 Content-Type: text/plain; charset=ISO-8859-1; format=flowed
 Content-Transfer-Encoding: 7bit
 
 Here is the vuxml entry.
 
 --------------060105080902070007030508
 Content-Type: text/plain; x-mac-type="0"; x-mac-creator="0";
  name="vuxml.diff"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: attachment;
  filename="vuxml.diff"
 
 --- vuln.xml.old	2010-09-29 09:06:01.000000000 +0200
 +++ vuln.xml	2010-09-29 09:21:18.000000000 +0200
 @@ -34,6 +34,36 @@
  
  -->
  <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
 +  <vuln vid="068732bb-cb98-11df-bc93-001c42d23634">
 +    <topic>phpmyfaq -- XSS vulnerabilities</topic>
 +    <affects>
 +      <package>
 +	<name>phpmyfaq</name>
 +	<range><ge>2.6.0</ge><lt>2.6.9</lt></range>
 +      </package>
 +    </affects>
 +    <description>
 +      <body xmlns="http://www.w3.org/1999/xhtml">
 +	<p>The phpMyFAQ project reports:</p>
 +	<blockquote cite="http://www.phpmyfaq.de/advisory_2010-09-28.php">
 +	  <p>The phpMyFAQ Team has learned of a security issue that has been 
 +	  discovered in phpMyFAQ 2.6.x</p>
 +	  <p>phpMyFAQ doesn't sanitize some variables in different pages
 +	  correctly. With a properly crafted URL it is e.g. possible to inject
 +	  JavaScript code into the output of a page, which could result in the
 +	  leakage of domain cookies (f.e. session identifiers).</p>
 +	</blockquote>
 +      </body>
 +    </description>
 +    <references>
 +    <url>http://www.phpmyfaq.de/advisory_2010-09-28.php</url>
 +    </references>
 +    <dates>
 +      <discovery>2010-09-28</discovery>
 +      <entry>2010-09-29</entry>
 +    </dates>
 +  </vuln>
 +
    <vuln vid="80b6d6cc-c970-11df-bb18-0015587e2cc1">
      <topic>openx -- remote code execution vulnerability</topic>
      <affects>
 
 --------------060105080902070007030508--

More information about the freebsd-ports-bugs mailing list