Bug#388040: qa.debian.org: HTML/Client side script injections (XSS) in "advanced [PTS] subscription" script

[Moritz Naumann <bugs.debian.org@moritz-naumann.com>]

Package: qa.debian.org
Severity: normal

The following URLs demonstrate that it is possible to inject client side
script (such as Javascript) and HTML tags into the HTML form (1) and error message (2) output generated by the "advanced [PTS] subscription" script.

(1) http://packages.qa.debian.org/cgi-bin/pts.cgi?package=%22%3E%3Cscript%3Ealert('XSS')%3B%3C/script%3E%3Cz=%22&what=advanced&email=@

(2)
http://packages.qa.debian.org/cgi-bin/pts.cgi?email=%3Cscript%3Ealert('XSS')%3B%3C/script%3E

While this is usually handled as a security issue, the implication seems
to very small so I'm tagging this as normal gravity.

Thanks for reading & possibly fixing,

Moritz


-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-k7
Locale: LANG=de_DE.utf-8, LC_CTYPE=de_DE.utf-8 (charmap=UTF-8)