[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#504608: XSS in bugs.debian.org



Package: debbugs
Version: n/a
Severity: important
Tags: security


	Hi!

Am Samstag, den 01.11.2008, 17:47 +0100 schrieb Moritz Naumann:
> I just realized there's a cross site scripting issue on bugs.debian.org,
> which you migth like to fix.
> 
> http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=%22%3E%3Cscript%3Ealert(%27Oops.%27)%3C/script%3E%3Cx%20y=%22

 Confirmed.

> I know it's not your domain, but I'd like to point out that another XSS
> and some other issue (which may range from info disclosure to DoS) has
> been around on buildd.debian.org for a long time, first reported in Aug
> 2007, with reminders sent in June this year, and still unfixed.
> 
> Since, so far, there has apparently not been enough need to fix it,
> here's these URLs on a public mailing list now.
> 
> http://buildd.debian.org/build.php?pkg=%3Cscript%3Ealert(0)%3C/script%3E
> http://buildd.debian.org/build.php?&pkg=at&arch=%3Cscript%3Ealert(0)%3C/script%3E
> 
> Let me know if you need any help fixing these.

 Hmm, I'm not too sure if there is a (pseudo) package that this bug
could get cloned to for that, best thing propably would be to open a
ticket in RT.debian.org about it, but I'm not too sure in which queue?
Maybe someone else knows where to address this best these days ...

 Thanks,
Rhonda

Attachment: signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


Reply to: