XSS vulnerability in debian.org

To: debian-www@lists.debian.org
Subject: XSS vulnerability in debian.org
From: David Shaw <dshaw@redspin.com>
Date: Tue, 5 Jan 2010 15:54:56 -0800
Message-id: <[🔎] da1e5a551001051554v2108f17do28cc0845aed028d2@mail.gmail.com>

Hello,

My name is David Shaw, and I am a security engineer with Redspin, Inc.

While browsing debian.org today, I noticed that some of the fields were not correctly sanitized, leading to a cross-site scripting vulnerability.

The URL to verify this vulnerability (with an XSS popup) is:

http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=%27%27;exclude=subject%3A%22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E

If this was not the correct email address to send this, I apologize and would like to request the correct address.

Thank you,

David Shaw

Reply to:

Follow-Ups:
- Re: XSS vulnerability in debian.org
  - From: Holger Levsen <holger@layer-acht.org>

Prev by Date: Re: www-master move: things to do: release-notes and installation-guide
Next by Date: Re: XSS vulnerability in debian.org
Previous by thread: Re: lost package in repository linux-headers-2.6.31-1-amd64
Next by thread: Re: XSS vulnerability in debian.org
Index(es):
- Date
- Thread