In-Reply-To: <Pine.LNX.4.44.0206281905330.9527-100000@ticalc.ticalc.org> >PW> My example URL suggests that version 3.1.5 is also immune, though 3.1.5 >PW> has other issues that 3.1.6 resolves -- see >PW> http://online.securityfocus.com/bid/3410 and >PW> http://www.htdig.org/index.html > >Version 3.2.0b3 seems to be vunerable. Sorry for the somewhat slow response, I'm not normally subscribed to BugTraq. Two previous attempts to send this (July 1 and July 5th) did not go through for whatever reason. As far as XSS goes, the following versions have default templates that are immune to such things--you'd get properly-HTML encoded "script" tags. 3.2.0b2, 3.2.0b3 and snapshots of 3.2.0b4 3.1.5 and 3.1.6 (only 3.2.0b4 and 3.1.6 solve other, non-XSS issues) Now, we'll certainly send out an announcement reminding people that they should be using recent versions of ht://Dig and that they should make sure their templates use the $&(VAR) form that HTML-escapes output. And it'll be a good idea to update the documentation to make this clear. But... I'll point out that ht://Dig has its own mailing list. If there is a vulnerability that has *not* been addressed in current versions, please let us know, give us a specific example and we'll post to BugTraq. Further discussion is probably best left on the htdig-discuss@lists.sourceforge.net or htdig-dev mailing lists or via private e-mail. Regards, -- -Geoff Hutchison Williams Students Online http://wso.williams.edu/
