download.pl lets arbitrary stuff through
I was just made aware, that
http://packages.debian.org/cgi-bin/download.pl
is very liberate in putting arbitrary stuff in the website,
try for example:
http://packages.debian.org/cgi-bin/download.pl?arch=i386&file="></a><javascript><a href="&md5sum=<br><b>ups</b>&type=main
I think it should really only let characters save for filename
(Debian packages are [A-Za-z0-9_.+~:-] I think) through for files
and best ommit the md5sum completely if it is that easy to fake.
Hochachtungsvoll,
Bernhard R. Link
Reply to: