Bug#388040: qa.debian.org: HTML/Client side script injections (XSS) in "advanced [PTS] subscription" script
Package: qa.debian.org
Severity: normal
The following URLs demonstrate that it is possible to inject client side
script (such as Javascript) and HTML tags into the HTML form (1) and error message (2) output generated by the "advanced [PTS] subscription" script.
(1) http://packages.qa.debian.org/cgi-bin/pts.cgi?package=%22%3E%3Cscript%3Ealert('XSS')%3B%3C/script%3E%3Cz=%22&what=advanced&email=@
(2)
http://packages.qa.debian.org/cgi-bin/pts.cgi?email=%3Cscript%3Ealert('XSS')%3B%3C/script%3E
While this is usually handled as a security issue, the implication seems
to very small so I'm tagging this as normal gravity.
Thanks for reading & possibly fixing,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-k7
Locale: LANG=de_DE.utf-8, LC_CTYPE=de_DE.utf-8 (charmap=UTF-8)
Reply to: