[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: XSS vulnerability in debian.org

On Wed, 06 Jan 2010, Holger Levsen wrote:
> owner@bugs.debian.org is the right address for such reports.
> 
> On Mittwoch, 6. Januar 2010, David Shaw wrote:
> > While browsing debian.org today, I noticed that some of the fields
> > were not correctly sanitized, leading to a cross-site scripting
> > vulnerability.
> >
> > The URL to verify this vulnerability (with an XSS popup) is:
> >
> > http://bugs.debian.org/cgi-bin/pkgreport.cgi?tag=%27%27;exclude=subject%3A%
> >22%3E%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E

Thanks for the report; this has been fixed.


Don Armstrong

-- 
PowerPoint is symptomatic of a certain type of bureaucratic
environment: one typified by interminable presentations with lots of
fussy little bullet-points and flashy dissolves and soundtracks masked
into the background, to try to convince the audience that the goon
behind the computer has something significant to say.
 -- Charles Stross _The Jennifer Morgue_ p33

http://www.donarmstrong.com              http://rzlab.ucr.edu
Reply to: