Bug#762967: XSS in bugs.debian.org/cgi-bin/version.cgi

To: Vlad Constantin <v@vlad.uz>, 762967@bugs.debian.org
Subject: Bug#762967: XSS in bugs.debian.org/cgi-bin/version.cgi
From: Don Armstrong <don@debian.org>
Date: Sat, 27 Sep 2014 10:52:54 -0700
Message-id: <[🔎] 20140927175254.GX8699@teltox.donarmstrong.com>
Reply-to: Don Armstrong <don@debian.org>, 762967@bugs.debian.org
In-reply-to: <[🔎] 54267375.1070604@vlad.uz>
References: <[🔎] 54267375.1070604@vlad.uz>

On Sat, 27 Sep 2014, Vlad Constantin wrote:
> I'll add to this bug instead of making a new one.
> 
> /cgi-bin/cookies.cgi contains XSS (persistent via cookie) and Header
> injection vulnerabilities in vars repeatmerged, terse, reverse, trim,
> oldview
> 
> XSS PoC:
> https://bugs.debian.org/cgi-bin/cookies.cgi?repeatmerged=%3Cscript%3Ealert('xss')%3B%3C/script%3E
> Header injection PoC:
> https://bugs.debian.org/cgi-bin/cookies.cgi?repeatmerged=%0aLocation%3A%20http%3A%2F%2Fgoogle.com%2F%0a

Thanks for reporting these; those scripts probably shouldn't even be in
use at all. I've already removed them from bugs.debian.org, and I'll
probably eliminate them from git shortly.


-- 
Don Armstrong                      http://www.donarmstrong.com

"There's no problem so large it can't be solved by killing the user
off, deleting their files, closing their account and reporting their
REAL earnings to the IRS."
 -- The B.O.F.H..

Reply to:

References:
- Bug#762967: XSS in bugs.debian.org/cgi-bin/version.cgi
  - From: Vlad Constantin <v@vlad.uz>

Prev by Date: Bug#762967: XSS in bugs.debian.org/cgi-bin/version.cgi
Next by Date: Bug#763434: debbugs: retitled reports are found neither by old nor by new title/subject
Previous by thread: Bug#762967: XSS in bugs.debian.org/cgi-bin/version.cgi
Next by thread: Processed: limit source to debbugs, tagging 762967
Index(es):
- Date
- Thread