Summary
The remote host is missing an update to xapian-omega announced via advisory DSA 1882-1.
Solution
https://secure1.securityspace.com/smysecure/catid.html?in=DSA%201882-1
Insight
It was discovered that xapian-omega, a CGI interface for searching xapian databases, is not properly escaping user supplied input when printing exceptions. An attacker can use this to conduct cross-site scripting attacks via crafted search queries resulting in an exception and steal potentially sensitive data from web applications running on the same domain or embedding the search engine into a website.
For the oldstable distribution (etch), this problem has been fixed in version 0.9.9-1+etch1.
For the stable distribution (lenny), this problem has been fixed in version 1.0.7-3+lenny1.
For the testing (squeeze) and unstable (sid) distribution, this problem will be fixed soon.
We recommend that you upgrade your xapian-omega packages.
Severity
Classification
-
CVE CVE-2009-2947 -
CVSS Base Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N
Related Vulnerabilities