Someone posted in the /. comments that Google had released a fix. How
nice of them to tell us, right?
http://www.google.com/support/urchin45/bin/answer.py?answer=76399&top...
Cross Site Scripting (XSS) Vulnerability in Urchin 5.703 and earlier
Overview
A cross site scripting (XSS) vulnerability exists in the login page
for all versions of Urchin 5 up to and including 5.703.
Impact on Urchin Customers
This vulnerability can be exploited to execute arbitrary HTML and
script code in a user's browser session in the context of the site
running Urchin.
Mitigation
A fix is available in the form of a drop-in replacement for the Urchin
template file that contains the vulnerability. ZIP packages that
contain the updated template file and installation instructions are
available from download.urchin.com as:
UNIX-type systems (FreeBSD, IRIX, Linux, MacOS-X, Solaris)
http://download.urchin.com/support/Urchin5703_template_update_nonwin.zip
Windows
http://download.urchin.com/support/Urchin5703_template_update_win.zip
Urchin 5 customers are strongly encouraged to apply this fix to all
installed instances of Urchin 5.703.
Side Effect of Fix
Though this fix does not in any way affect the core functionality or
accuracy of Urchin 5, it does introduce a slight session-specific
behavioral change to the product. Previously, Urchin 5 would remember
the Urchin screen that a user was on and would restore the user to
that screen after a session timeout. After applying the fix, Urchin
will no longer restore users back to the current Urchin screen; users
will be taken to the default profile view landing page instead.
On Oct 10, 12:06 pm, Fireye wrote:
> Urchin got a mention on /. today. Hopefully it'll get some loving.
http://slashdot.org/article.pl?sid=07/10/10/1256244 > On Oct 2, 10:15 am, Fireye wrote:
> > This seems to be getting a bit more attention. Two additional
> > vulnerabilities have shown up on US CERT's vulnerability mailing list.
> >http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5112http://nvd.nist.gov/...
> > ... supposedly, google was notified in June of the issue, and they
> > said they were working on a fix. Now it's October.
> > On Sep 14, 1:26 pm, Fireye wrote:
> > > *tag* Nessus allerted us to this very issue as well. I put in a
> > > ticket through secure.urchin.com, we'll see if I get any response.
> > > On Aug 29, 2:18 pm, Gray Loon wrote:
> > > > We use ScanAlert to check our site for vulnerabilities. They found an
> > > > XSS vulnerability with the 5.7.03 session.cgi file. I was told that
> > > > Google would provide a patched version of the file, but they haven't
> > > > responded to my emails or trouble tickets. Anyone know of a fix or
> > > > have the patched version to share?
> > > > To duplicate the issue, use the link below with your domain in place.
> > > > You should see a javascript prompt with 123 in it. This is bad.http://www.domain.com:9999/session.cgi?%3E%22%3E%3Cscript%3Ealert%281...
