XSS in bugs.debian.org

To: owner@bugs.debian.org, debian-www@lists.debian.org
Subject: XSS in bugs.debian.org
From: Moritz Naumann <security@moritz-naumann.com>
Date: Sat, 01 Nov 2008 17:47:21 +0100
Message-id: <[🔎] 490C8819.4030106@moritz-naumann.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

I just realized there's a cross site scripting issue on bugs.debian.org,
which you migth like to fix.

http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=%22%3E%3Cscript%3Ealert(%27Oops.%27)%3C/script%3E%3Cx%20y=%22

I know it's not your domain, but I'd like to point out that another XSS
and some other issue (which may range from info disclosure to DoS) has
been around on buildd.debian.org for a long time, first reported in Aug
2007, with reminders sent in June this year, and still unfixed.

Since, so far, there has apparently not been enough need to fix it,
here's these URLs on a public mailing list now.

http://buildd.debian.org/build.php?pkg=%3Cscript%3Ealert(0)%3C/script%3E
http://buildd.debian.org/build.php?&pkg=at&arch=%3Cscript%3Ealert(0)%3C/script%3E

Let me know if you need any help fixing these.

Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEAREKAAYFAkkMiBkACgkQn6GkvSd/BgwH8QCeLP2fTuY5m0Sg+Z8O+87hV68z
up0AmgJ0mWfQy8X5ljBiEU8ObTrWhLmb
=TEhi
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- XSS in bugs.debian.org
  - From: Gerfried Fuchs <rhonda@deb.at>

Prev by Date: regards, installation
Next by Date: Re: regards, installation
Previous by thread: Re: regards, installation
Next by thread: XSS in bugs.debian.org
Index(es):
- Date
- Thread