Bug#504608: XSS in bugs.debian.org
> Am Samstag, den 01.11.2008, 17:47 +0100 schrieb Moritz Naumann:
> > I know it's not your domain, but I'd like to point out that another XSS
> > and some other issue (which may range from info disclosure to DoS) has
> > been around on buildd.debian.org for a long time, first reported in Aug
> > 2007, with reminders sent in June this year, and still unfixed.
> > Since, so far, there has apparently not been enough need to fix it,
> > here's these URLs on a public mailing list now.
> > http://buildd.debian.org/build.php?pkg=%3Cscript%3Ealert(0)%3C/script%3E
> > http://buildd.debian.org/build.php?&pkg=at&arch=%3Cscript%3Ealert(0)%3C/script%3E
> > Let me know if you need any help fixing these.
I would welcome help in fixing these, yes. What do you need, the build.php
file? (It also requires a wp.php file, I can send that one as well).
Also, Moritz, I'm very sorry your repeated mails about these issues in
buildd.debian.org went unanswered for so long. I (and a bunch of other
people) just joined the team responsible for it this month, and I found
about this bug just by pure chance.
Thanks!
* Gerfried Fuchs [Wed, 05 Nov 2008 17:25:55 +0100]:
> Hmm, I'm not too sure if there is a (pseudo) package that this bug
> could get cloned to for that, best thing propably would be to open a
> ticket in RT.debian.org about it, but I'm not too sure in which queue?
> Maybe someone else knows where to address this best these days ...
There should exist a buildd.debian.org pseudo-package soon, see #504613.
I'll clone it when I see it's been created, or feel free to do so yourself.
Thanks,
--
Adeodato Simó dato at net.com.org.es
Debian Developer adeodato at debian.org
Listening to: Pedro Guerra - Pasaba por aquí
Reply to: