download.pl lets arbitrary stuff through

To: debian-www@lists.debian.org
Subject: download.pl lets arbitrary stuff through
From: "Bernhard R. Link" <brlink@debian.org>
Date: Mon, 11 Dec 2006 20:17:11 +0100
Message-id: <[🔎] 20061211191711.GA2448@pcpool00.mathematik.uni-freiburg.de>

I was just made aware, that
http://packages.debian.org/cgi-bin/download.pl
is very liberate in putting arbitrary stuff in the website,
try for example:

http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=";></a><javascript><a href="&md5sum=<br><b>ups</b>&type=main

I think it should really only let characters save for filename
(Debian packages are [A-Za-z0-9_.+~:-] I think) through for files
and best ommit the md5sum completely if it is that easy to fake.

Hochachtungsvoll,
	Bernhard R. Link

Reply to:

Follow-Ups:
- Re: download.pl lets arbitrary stuff through
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>

Prev by Date: Bug#402631: marked as done (packages.debian.org: susceptible to XSS attacks)
Next by Date: Re: download.pl lets arbitrary stuff through
Previous by thread: Bug#402631: marked as done (packages.debian.org: susceptible to XSS attacks)
Next by thread: Re: download.pl lets arbitrary stuff through
Index(es):
- Date
- Thread