GLSA-200409-23 : SnipSnap: HTTP response splitting

This script is Copyright (C) 2004-2014 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-200409-23
(SnipSnap: HTTP response splitting)

SnipSnap contains various HTTP response splitting vulnerabilities that
could potentially compromise the sites data. Some of these attacks
include web cache poisoning, cross-user defacement, hijacking pages
with sensitive user information, and cross-site scripting. This
vulnerability is due to the lack of illegal input checking in the
software.

Impact :

A malicious user could inject and execute arbitrary script code,
potentially compromising the victim's data or browser.

Workaround :

There is no known workaround at this time.

See also :

http://www.nessus.org/u?1a47e4e1
http://www.gentoo.org/security/en/glsa/glsa-200409-23.xml

Solution :

All SnipSnap users should upgrade to the latest version:
# emerge sync
# emerge -pv '>=dev-java/snipsnap-bin-1.0_beta1'
# emerge '>=dev-java/snipsnap-bin-1.0beta1'

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)

Family: Gentoo Local Security Checks

Nessus Plugin ID: 14774 (gentoo_GLSA-200409-23.nasl)

Bugtraq ID:

CVE ID: CVE-2004-1470