[Namazu-devel-en] Namazu 2.0.14 released

NOKUBI Takatsugu knok at daionet.gr.jp
Wed Dec 15 13:28:00 JST 2004


Full-text search engine Namazu 2.0.14 released

2.0.13 or older version have Cross-Site Scripting vulnerability in
namazu.cgi.
It affects all sites using namazu.cgi 2.0.13 or older version, and it
can exploit HTTP cookie and/or alter web contents.

The vulnerability was repored to Information-technology Promotion
Agency(IPA) by a discoverer. Namazu Project gets the issue from
JPCERT Coordination Center(JPCERT/CC) and fixed.

Overview of Changes in Namazu 2.0.14 - Dec 15, 2004

* Fix a cross-site scripting vulnerability.
  (When query which begins from a tab (%09) is specified.)

Workaround:

Workaround to 2.0.13 and before :

1. move namazu.cgi and .namazurc to a place where you cannot access
with http.  Assuming you move to /usr/local/lib.

2. create the script blow named namazu.cgi, and grant execution permission.
2.1. script by sh

#!/bin/sh
QUERY_STRING=`echo "$QUERY_STRING" | sed -e 's/y=%09/y=%20/g'`
export QUERY_STRING
/usr/local/lib/namazu.cgi

2.2. script by perl

!#/usr/bin/perl
$ENV{QUERY_STRING}=~s/y=%09/y=%20/g;
system("/usr/local/lib/namazu.cgi");

See also:
  JVN#904429FE
  Cross-Site Scripting vulnerability in Namazu
  http://jvn.jp/jp/JVN%23904429FE.html (written in Japanese)

  The problem produced when query begins from a tab (%09)
  http://www.namazu.org/security.html.en#cross-site-scripting

You can get Namazu 2.0.14 from http://www.namazu.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://www.namazu.org/pipermail/namazu-devel-en/attachments/20041215/c353349d/attachment.bin


More information about the Namazu-devel-en mailing list