cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

upgrade to 5.22

Browse Source 
SECURITY ADVISORY                                      20th March 2002
----------------------------------------------------------------------
Program: analog
Versions: all versions prior to 5.22
Operating systems: all
----------------------------------------------------------------------
Yuji Takahashi discovered a bug in analog which allows a cross-site
scripting type attack.

It is easy for an attacker to insert arbitrary strings into any web
server logfile. If these strings are then analysed by analog, they can
appear in the report. By this means an attacker can introduce
arbitrary Javascript code, for example, into an analog report produced
by someone else and read by a third person. Analog already attempted
to encode unsafe characters to avoid this type of attack, but the
conversion was incomplete.

Although it is not known that this bug has been exploited, it is easy
to exploit, and all users are advised to upgrade to version 5.22 of
analog immediately. The URL for analog is http://www.analog.cx/
I apologise for the inconvenience.

Thank you to Yuji Takahashi, Motonobu Takahashi and Takayuki Matsuki
for their help with this bug.

                                                        Stephen Turner
                                         analog-author@lists.isite.net
This commit is contained in:
form 2002-03-20 13:09:29 +00:00
parent 45349d0ec4
commit f77f85dd37
2 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
www/analog/Makefile
View File

@ -1,8 +1,8 @@
# $OpenBSD: Makefile,v 1.30 2002/03/01 10:07:25 form Exp $
# $OpenBSD: Makefile,v 1.31 2002/03/20 13:09:29 form Exp $
COMMENT= "extremely fast program for analysing WWW logfiles"
DISTNAME= analog-5.21
DISTNAME= analog-5.22
CATEGORIES= www
MASTER_SITES= http://www.analog.cx/ \
http://www.statslab.cam.ac.uk/~sret1/analog/ \

6
www/analog/distinfo
View File

@ -1,3 +1,3 @@
MD5 (analog-5.21.tar.gz) = 2ea969c9f95ee22035aebc5e248ee234
RMD160 (analog-5.21.tar.gz) = cbab7e9b36bbac3d52defe68b154db5702f1c9ee
SHA1 (analog-5.21.tar.gz) = 92ee811dfa94741d220c6e489af8c2b56b087c08
MD5 (analog-5.22.tar.gz) = 7548e31ac6b21bec31966f98a789b426
RMD160 (analog-5.22.tar.gz) = c5f1094ec2328e3dd38bd262aae5909ea9858d54
SHA1 (analog-5.22.tar.gz) = 10d8ff187398243778fad0929e2a53f863ecf275