Date: Thu, 27 Oct 2011 16:00:48 -0500
From: Jamie Strandboge <jamie@...onical.com>
To: Craig Barratt <cbarratt@...rs.sourceforge.net>, coley@...us.mitre.org, 
	oss-security <oss-security@...ts.openwall.com>
Cc: security@...ntu.com
Subject: CVE Request: Security issue in backuppc

Hi Craig,

While preparing updates to fix CVE-2011-3361 in Ubuntu I discovered
another XSS vulnerability in View.pm when accessing the following URLs
in backuppc:
index.cgi?action=view&type=XferLOG&num=<XSS here>&host=<some host>
index.cgi?action=view&type=XferErr&num=<XSS here>&host=<some host>

You are being emailed as the upstream contact. Please keep
oss-security@...ts.openwall.com[1] CC'd for any updates on this issue.

To oss-security, can I have a CVE for this? It is essentially the same
vulnerability and fix as for CVE-2011-3361, but in CGI/View.pm instead
of CGI/Browse.pm. Attached is a patch to fix this issue. Tested on
3.0.0, 3.1.0, 3.2.0 and 3.2.1.

-- 
Jamie Strandboge             | http://www.canonical.com

diff -u backuppc-3.2.0/lib/BackupPC/CGI/View.pm backuppc-3.2.0/lib/BackupPC/CGI/View.pm
--- backuppc-3.2.0/lib/BackupPC/CGI/View.pm
+++ backuppc-3.2.0/lib/BackupPC/CGI/View.pm
@@ -46,7 +46,7 @@
     my $compress = 0;
     my $fh;
     my $host = $In{host};
-    my $num  = $In{num};
+    my $num  = ${EscHTML($In{num})};
     my $type = $In{type};
     my $linkHosts = 0;
     my($file, $comment);

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]