Weekly edition	Kernel	Security	Distributions	Contact Us	Search
Archives	Calendar	Subscribe	Write for LWN	LWN.net FAQ	Sponsors

trac: missing input sanitizing

Package(s):

trac

CVE #(s):

CVE-2005-4065 CVE-2005-4644

Created:

January 23, 2006

Updated:

January 30, 2006

Description:

Several vulnerabilities have been discovered in trac, an enhanced wiki and issue tracking system for software development projects. Due to missing input sanitizing it is possible to inject arbitrary SQL code into the SQL statements (CVE-2005-4065). A cross-site scripting vulnerability has been discovered that allows remote attackers to inject arbitrary web script or HTML (CVE-2005-4644).

Alerts:

Debian	DSA-951-2	2006-01-30
Debian	DSA-951-1	2006-01-23

(Log in to post comments)

"created" date misleading

Posted Jan 26, 2006 10:45 UTC (Thu) by wingo (subscriber, #26929) [Link]

The SQL injection vulnerability was fixed on 5 December, with the 0.9.2 release.

The XSS vulnerability was fixed on 8 January, with the 0.9.3 release.

I went into a hurry when I saw the 23 Jan "created" date, but that's very misleading, considering the issues are more than 2 months old. What happened?

trac: missing input sanitizing

Posted Jan 26, 2006 10:45 UTC (Thu) by bdash (guest, #35482) [Link]

It'd be nice if the article was a lot clearer about the fact that both of these vulnerabilities have long
since been patched. The SQL injection vulnerability was resolved in Trac 0.9.2, released in early
December. The cross-site scripting vulnerability was resolved in Trac 0.9.3, released in early
January. In my opinion releasing an "advisory" like this so late after the fact and with no information
about the fact the issues have been resolved is irresponsible.