September 8, 2009

Debian Security Advisory 1882 xapian-omega - missing input sanitization

Article Source Debian Security Advisories
September 8, 2009, 5:00 pm

It was discovered that xapian-omega, a CGI interface for searching xapian databases, is not properly escaping user supplied input when printing exceptions. An attacker can use this to conduct cross-site scripting attacks via crafted search queries resulting in an exception and steal potentially sensitive data from web applications running on the same domain or embedding the search engine into a website.

For the oldstable distribution (etch), this problem has been fixed in version 0.9.9-1+etch1.

For the stable distribution (lenny), this problem has been fixed in version 1.0.7-3+lenny1.

For the testing (squeeze) and unstable (sid) distribution, this problem will be fixed soon.

We recommend that you upgrade your xapian-omega packages...

Read More

Click Here!