FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

squidclamav -- cross-site scripting in default virus warning pages

Affected packages
squidclamav < 5.8
6.0 <= squidclamav < 6.7

Details

VuXML ID ce680f0a-eea6-11e1-8bd8-0022156e8794
Discovery 2012-07-24
Entry 2012-08-25

SquidClamav developers report:

This release fix several security issues by escaping CGI parameters.

Prior to versions 6.7 and 5.8, CGI script clwarn.cgi was not properly sanitizing input variables, so they could be used to inject arbitrary strings to the generated page, leading to the cross-site scripting attacks.

References

CVE Name CVE-2012-4667
URL http://squidclamav.darold.net/news.html