[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#713001: Lack of proper escaping in http://www.debian.org/mirror/submit [Re: Vulnerability]

Package: www.debian.org
Severity: important
Control: retitle -1 http://www.debian.org/mirror/submit does not escape user-entered values in page returned
Control: submitter -1 codie manjot <codiemanjot@gmail.com>
User: www.debian.org@packages.debian.org
Usertags: scripts mirror


On Fri, 21 Jun 2013, codie manjot wrote:
> I Found an non persistent xss in Debian.org. Below i have provided the
> vulnerable link. Please look into it & deploy a fix soon ASAP revert me
> back.
> 
> Vulnerability - Cross site scripting
> Vulnerable Link - http://www.debian.org/mirror/submit

As we mentioned previously, to report bugs against the website, please
file bugs against the www.debian.org package, as I have done with this
e-mail.
 
> POC -
>  - Open the above given vulnerable link
> - Once opened, copy the below given xss script in all the fields on that
> webpage & then click on submit. the malicious javascript was successfully
> injected on the webpage.


-- 
Don Armstrong                      http://www.donarmstrong.com

I always thought
violence didn't solve anything
until one day it did.
 -- a softer world #470
    http://www.asofterworld.com/index.php?id=470
Reply to: