libnginx-mod-http-fancyindex is using outdated version with missing html escaping
Bug #1979917 reported by
Stian Skjelstad
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| nginx (Ubuntu) |
Confirmed
|
Medium
|
Thomas Ward | ||
Bug Description
This patch has not made it into libnginx-
https:/
This causes filenames with html-entities to be served as-is to the end-user, possible XSS if filenames are generated by user.
| affects: | ubuntu → nginx (Ubuntu) |
| information type: | Private Security → Public Security |
Revision history for this message
| Thomas Ward (teward) wrote | #1 |
| Changed in nginx (Ubuntu): | |
| importance: | Undecided → Medium |
| assignee: | nobody → Thomas Ward (teward) |
Revision history for this message
| Thomas Ward (teward) wrote | #2 |
Revision history for this message
| Stian Skjelstad (mywave) wrote | #3 |
Revision history for this message
| Thomas Ward (teward) wrote | #4 |
Revision history for this message
| Steve Beattie (sbeattie) wrote | #5 |
Revision history for this message
| Steve Beattie (sbeattie) wrote | #6 |
| Changed in nginx (Ubuntu): | |
| status: | New → Confirmed |
To post a comment you must log in.
We (Debian) are also checking and merging to Kinetic - can you check if this is patched in Debian as well? So I can make sure its patched in Salsa as well as here in Ubuntu.