[Namazu-devel-en] Namazu 2.0.14 released
knok at daionet.gr.jp
Wed Dec 15 13:28:00 JST 2004
Full-text search engine Namazu 2.0.14 released
2.0.13 or older version have Cross-Site Scripting vulnerability in
It affects all sites using namazu.cgi 2.0.13 or older version, and it
can exploit HTTP cookie and/or alter web contents.
The vulnerability was repored to Information-technology Promotion
Agency(IPA) by a discoverer. Namazu Project gets the issue from
JPCERT Coordination Center(JPCERT/CC) and fixed.
Overview of Changes in Namazu 2.0.14 - Dec 15, 2004
* Fix a cross-site scripting vulnerability.
(When query which begins from a tab (%09) is specified.)
Workaround to 2.0.13 and before :
1. move namazu.cgi and .namazurc to a place where you cannot access
with http. Assuming you move to /usr/local/lib.
2. create the script blow named namazu.cgi, and grant execution permission.
2.1. script by sh
QUERY_STRING=`echo "$QUERY_STRING" | sed -e 's/y=%09/y=%20/g'`
2.2. script by perl
Cross-Site Scripting vulnerability in Namazu
http://jvn.jp/jp/JVN%23904429FE.html (written in Japanese)
The problem produced when query begins from a tab (%09)
You can get Namazu 2.0.14 from http://www.namazu.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://www.namazu.org/pipermail/namazu-devel-en/attachments/20041215/c353349d/attachment.bin
More information about the Namazu-devel-en