Bug#762967: XSS in bugs.debian.org/cgi-bin/version.cgi
On Sat, 27 Sep 2014, Vlad Constantin wrote:
> I'll add to this bug instead of making a new one.
>
> /cgi-bin/cookies.cgi contains XSS (persistent via cookie) and Header
> injection vulnerabilities in vars repeatmerged, terse, reverse, trim,
> oldview
>
> XSS PoC:
> https://bugs.debian.org/cgi-bin/cookies.cgi?repeatmerged=%3Cscript%3Ealert('xss')%3B%3C/script%3E
> Header injection PoC:
> https://bugs.debian.org/cgi-bin/cookies.cgi?repeatmerged=%0aLocation%3A%20http%3A%2F%2Fgoogle.com%2F%0a
Thanks for reporting these; those scripts probably shouldn't even be in
use at all. I've already removed them from bugs.debian.org, and I'll
probably eliminate them from git shortly.
--
Don Armstrong http://www.donarmstrong.com
"There's no problem so large it can't be solved by killing the user
off, deleting their files, closing their account and reporting their
REAL earnings to the IRS."
-- The B.O.F.H..
Reply to: