[Popcon-developers] possible XSS issues in popcon server

Subject: [Popcon-developers] possible XSS issues in popcon server
From: ballombe@debian.org (Bill Allombert)
Date: Sat, 21 Mar 2015 14:42:01 +0100
Message-id: <[🔎] 20150321134201.GA14110@yellowpig>
In-reply-to: <20150319223629.GA27292@yellowpig>
References: <1425749730.7008.64.camel@debian.org> <20150307175416.GB23627@yellowpig> <20150307214211.GD23627@yellowpig> <1425776937.4998.20.camel@debian.org> <20150318232341.GA16826@pari.math.u-bordeaux1.fr> <1426731878.28155.40.camel@debian.org> <20150319223629.GA27292@yellowpig>

Dear popularity-contest server admins,

Paul Wise found an input validation issue in the example scripts
shipped with popularity-contest.

In his own word:

  The example scripts for running a popcon server do not escape
  architecture and popularity-contest version number values before putting
  them on the popcon website, which means that a malicious popcon
  submitter could inject arbitrary HTML into the popcon website.
  The injected HTML could include everything from advertising to
  JavaScript code attempting to steal authentication cookies for other
  subdomains in the same top-level domain.

The vulnerable HTML files are generated by the script popcon.pl.
However, it seems safer to reject such reports outright in the script
prepop.pl. The attached patch does that.

The patch has been applied to the official popcon.debian.org.
If you generate a website from popcon data, we encourage you to check for this
issue.

Sorry for the inconvenience,
Cheers,
-- 
Bill. <ballombe at debian.org>

Imagine a large red swirl here. 
-------------- next part --------------
diff --git a/examples/bin/prepop.pl b/examples/bin/prepop.pl
index c2c4fb5..96cf3a8 100755
--- a/examples/bin/prepop.pl
+++ b/examples/bin/prepop.pl
@@ -29,8 +29,14 @@ sub get_report
     return 'reject';
   }
   $id=$1; #untaint $id
+  $arch=$field{'ARCH'};
+  if (defined($arch) && $arch !~ /^[0-9A-Za-z-]*$/)
+  {
+    print STDERR "Report rejected: $arch: $id\n";
+    return 'reject';
+  }
   $vers=$field{'POPCONVER'};
-  if (defined($vers) && $vers =~ /^1\.56ubuntu1/)
+  if (defined($vers) && ($vers =~ /^1\.56ubuntu1/ || $vers !~ /^[0-9A-Za-z.+~:-]*$/))
   {
     print STDERR "Report rejected: $vers: $id\n";
     return 'reject';
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/popcon-developers/attachments/20150321/ac6d9347/attachment.sig>

Reply to:

Index(es):
- Date
- Thread