Gentoo Logo

Trac: Cross-site scripting vulnerability

Content:

1.  Gentoo Linux Security Advisory

Version Information

Advisory Reference GLSA 200601-12 / trac
Release Date January 26, 2006
Latest Revision January 26, 2006: 01
Impact low
Exploitable remote
Package Vulnerable versions Unaffected versions Architecture(s)
www-apps/trac < 0.9.3 >= 0.9.3 All supported architectures

Related bugreports: #118302

Synopsis

Trac is vulnerable to a cross-site scripting attack that could allow arbitrary JavaScript code execution.

2.  Impact Information

Background

Trac is a minimalistic web-based project management, wiki and bug tracking system including a Subversion interface.

Description

Christophe Truc discovered that Trac fails to properly sanitize input passed in the URL.

Impact

A remote attacker could exploit this to inject and execute malicious script code or to steal cookie-based authentication credentials, potentially compromising the victim's browser.

3.  Resolution Information

Workaround

There is no known workaround at this time.

Resolution

All Trac users should upgrade to the latest available version:

Code Listing 3.1: Resolution

# emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/trac-0.9.3"

Note: Users with the vhosts USE flag set should manually use webapp-config to finalize the update.

4.  References

Print

Page updated January 26, 2006

Summary: This is a Gentoo Linux Security Advisory

Security Team
Contact Address

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.