From owner-freebsd-ports-bugs@FreeBSD.ORG  Sun Dec  7 06:40:01 2008
Return-Path: <owner-freebsd-ports-bugs@FreeBSD.ORG>
Delivered-To: freebsd-ports-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C06B31065672
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Sun,  7 Dec 2008 06:40:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 990338FC14
	for <freebsd-ports-bugs@hub.freebsd.org>;
	Sun,  7 Dec 2008 06:40:01 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mB76e1hX038359
	for <freebsd-ports-bugs@freefall.freebsd.org>;
	Sun, 7 Dec 2008 06:40:01 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mB76e16H038358;
	Sun, 7 Dec 2008 06:40:01 GMT (envelope-from gnats)
Resent-Date: Sun, 7 Dec 2008 06:40:01 GMT
Resent-Message-Id: <200812070640.mB76e16H038358@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-ports-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Ayumi M <ayu@dahlia.commun.jp>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 857611065670
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun,  7 Dec 2008 06:38:34 +0000 (UTC)
	(envelope-from ayu@dahlia.commun.jp)
Received: from spur02.stridge.co.jp (spur02.v6.stridge.co.jp
	[IPv6:2001:470:f00a::1])
	by mx1.freebsd.org (Postfix) with ESMTP id 4692C8FC08
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun,  7 Dec 2008 06:38:33 +0000 (UTC)
	(envelope-from ayu@dahlia.commun.jp)
Received: from dahlia.commun.jp (ppps0063.kitakyushu02.bbiq.jp
	[218.219.101.191])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by spur02.stridge.co.jp (Postfix) with ESMTP id 86BFCB245F
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun,  7 Dec 2008 15:38:32 +0900 (JST)
Received: from dahlia.commun.jp (localhost [127.0.0.1])
	by dahlia.commun.jp (Postfix) with ESMTP id C120A62E4
	for <FreeBSD-gnats-submit@freebsd.org>;
	Sun,  7 Dec 2008 15:38:00 +0900 (JST)
Received: by dahlia.commun.jp (Postfix, from userid 1001)
	id B653062E3; Sun,  7 Dec 2008 15:38:00 +0900 (JST)
Message-Id: <20081207063800.B653062E3@dahlia.commun.jp>
Date: Sun,  7 Dec 2008 15:38:00 +0900 (JST)
From: Ayumi M <ayu@dahlia.commun.jp>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: ports/129475: [vuxml] [MAINTAINER] www/habari: 
X-BeenThere: freebsd-ports-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Ayumi M <ayu@dahlia.commun.jp>
List-Id: Ports bug reports <freebsd-ports-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports-bugs>
List-Post: <mailto:freebsd-ports-bugs@freebsd.org>
List-Help: <mailto:freebsd-ports-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports-bugs>, 
	<mailto:freebsd-ports-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Dec 2008 06:40:01 -0000


>Number:         129475
>Category:       ports
>Synopsis:       [vuxml] [MAINTAINER] www/habari:
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 07 06:40:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Ayumi M
>Release:        FreeBSD 7.0-RELEASE-p5 i386
>Organization:
>Environment:
System: FreeBSD dahlia.commun.jp 7.0-RELEASE-p5 FreeBSD 7.0-RELEASE-p5 #0: Wed Oct 1 10:10:12 UTC 2008 root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC i386
>Description:
VuXML update for CVE-2008-4601

criting from http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4601
--
Cross-site scripting (XSS) vulnerability in the login feature in Habari CMS 0.5.1 allows remote attackers to inject arbitrary web script or HTML via the habari_username parameter. 
--
>How-To-Repeat:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4601
http://secunia.com/advisories/32311/
>Fix:

	

--- vuln-5e051e94-c35d-11dd-aff6-001b210f913f.xml begins here ---
<vuln vid="5e051e94-c35d-11dd-aff6-001b210f913f">
  <topic>habari -- Cross-site scripting</topic>
  <affects>
    <package>
      <name>habari</name>
      <range><lt>0.5.2</lt></range>
    </package>
  </affects>
  <description>
    <body xmlns="http://www.w3.org/1999/xhtml">
      <blockquote cite="http://secunia.com/advisories/32311/">
        <p>swappie has discovered a vulnerability in Habari, which
        can be exploited by malicious people to conduct cross-site
        scripting attacks.</p>
        <p>Input passed via the "habari_username" parameter when
        logging in is not properly sanitised before being returned
        to the user. This can be exploited to execute arbitrary
        HTML and script code in a user's browser session in context
        of an affected site.</p>
      </blockquote>
    </body>
  </description>
  <references>
    <cvename>CVE-2008-4601</cvename>
    <url>http://secunia.com/advisories/32311/</url>
    <url>http://www.habariproject.org/en/habari-version-0-5-2</url>
  </references>
  <dates>
    <discovery>2008-10-15</discovery>
  </dates>
</vuln>
--- vuln-5e051e94-c35d-11dd-aff6-001b210f913f.xml ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted: