Bug#240675: marked as done (www.debian.org: redirect.pl wide open and fools people)

To: Matt Kraai <kraai@ftbfs.org>
Cc: James Treacy and others <debian-www@lists.debian.org>
Subject: Bug#240675: marked as done (www.debian.org: redirect.pl wide open and fools people)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Wed, 31 Mar 2004 00:03:07 -0800
Message-id: <[🔎] handler.240675.D240675.10807195163382.ackdone@bugs.debian.org>
In-reply-to: <20040331075531.GA1010@catalunya>
References: <20040331075531.GA1010@catalunya> <[🔎] 20040328170530.F04E37FCBE@localhost>

Your message dated Tue, 30 Mar 2004 23:55:31 -0800
with message-id <20040331075531.GA1010@catalunya>
and subject line Bug#240675: www.debian.org: redirect.pl wide open and fools people
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 28 Mar 2004 17:05:22 +0000
>From schuller@blue.smop.org Sun Mar 28 09:05:22 2004
Return-path: <schuller@blue.smop.org>
Received: from smop.xs4all.nl (localhost) [213.84.68.234] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1B7dis-0003Q6-00; Sun, 28 Mar 2004 09:05:22 -0800
Received: by localhost (Postfix, from userid 1000)
	id F04E37FCBE; Sun, 28 Mar 2004 19:05:30 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Bart Schuller <schuller@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: www.debian.org: redirect.pl wide open and fools people
X-Mailer: reportbug 2.55
Date: Sun, 28 Mar 2004 19:05:30 +0200
Message-Id: <[🔎] 20040328170530.F04E37FCBE@localhost>
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

Package: www.debian.org
Severity: normal


As can be seen in http://slashdot.org/comments.pl?sid=102006&cid=8695895
the redirect.pl script on cgi.debian.org can be abused. Note that it
didn't work in galeon, but I expect this will be different for people
using Windows.

Perhaps some sort of referrer check is in order?

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.4
Locale: LANG=C, LC_CTYPE=en_US

---------------------------------------
Received: (at 240675-done) by bugs.debian.org; 31 Mar 2004 07:51:56 +0000
>From kraai@lafn.org Tue Mar 30 23:51:56 2004
Return-path: <kraai@lafn.org>
Received: from zoot.lafn.org [206.117.18.6] 
	by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
	id 1B8aVw-0000sC-00; Tue, 30 Mar 2004 23:51:56 -0800
Received: from catalunya (host-66-81-28-109.rev.o1.com [66.81.28.109])
	by zoot.lafn.org (8.12.3p3/8.12.3) with ESMTP id i2V7prVX008114
	(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO);
	Tue, 30 Mar 2004 23:51:54 -0800 (PST)
	(envelope-from kraai@lafn.org)
Received: from kraai by catalunya with local (Exim 4.30)
	id 1B8aZP-0000GO-Sk; Tue, 30 Mar 2004 23:55:31 -0800
Date: Tue, 30 Mar 2004 23:55:31 -0800
From: Matt Kraai <kraai@ftbfs.org>
To: Frank Lichtenheld <djpig@debian.org>, 240675-done@bugs.debian.org
Cc: Bart Schuller <schuller@debian.org>
Subject: Re: Bug#240675: www.debian.org: redirect.pl wide open and fools people
Message-ID: <20040331075531.GA1010@catalunya>
References: <[🔎] 20040328170530.F04E37FCBE@localhost> <[🔎] 20040330125357.GF1153@djpig.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[🔎] 20040330125357.GF1153@djpig.de>
User-Agent: Mutt/1.5.5.1+cvs20040105i
Sender: Matt Kraai <kraai@lafn.org>
X-Virus-Scanned: ClamAV version 'clamd / ClamAV version devel-20040209', clamav-milter version '0.66m'
Delivered-To: 240675-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-4.0 required=4.0 tests=BAYES_20,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level: 

On Tue, Mar 30, 2004 at 02:53:57PM +0200, Frank Lichtenheld wrote:
> tags 240675 patch
> thanks
> 
> On Sun, Mar 28, 2004 at 07:05:30PM +0200, Bart Schuller wrote:
> > As can be seen in http://slashdot.org/comments.pl?sid=102006&cid=8695895
> > the redirect.pl script on cgi.debian.org can be abused. Note that it
> > didn't work in galeon, but I expect this will be different for people
> > using Windows.
> > 
> > Perhaps some sort of referrer check is in order?
> 
> This has been pointed out before (like a week ago or so).
> A patch for it by me can be found at:
> http://lists.debian.org/debian-www/2004/debian-www-200403/msg00202.html
> 
> Can anyone of the webmasters please investigate this?

Applied, thanks for the patch.

-- 
Matt Kraai            kraai@ftbfs.org            http://ftbfs.org/

Reply to:

References:
- Bug#240675: www.debian.org: redirect.pl wide open and fools people
  - From: Bart Schuller <schuller@debian.org>

Prev by Date: unsubscribe
Next by Date: Искусные приемы активных продаж
Previous by thread: Processed: Re: Bug#240675: www.debian.org: redirect.pl wide open and fools people
Next by thread: Ralph Gnaedig/WELTBILD/DE ist außer Haus.
Index(es):
- Date
- Thread