Bug#388040: qa.debian.org: HTML/Client side script injections (XSS) in "advanced [PTS] subscription" script
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Thijs,
Thijs Kinkhorst wrote:
> I don't think this is in any way an issue, even not with "normal"
> severity.
in my opinion, it remains a bug for the reasons given below. Personally,
I don't really care whether or not it's changed/fixed, though.
I think it remains a bug because
(a) the script handles output of " (double quotes) incorrectly (it is
not encoded). You will retrieve broken output when using this character.
(b) not every user agent (web browser) handles domain context seperation
correctly. As such, depending on the client application being used, it's
possible that the script injection may be usable to inject HTTP requests
within all subdomains of the debian.org domain. This is, of course,
solely a bug in the client, but this unexpected server side behaviour
could be considered as contributing.
Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFFDoDfn6GkvSd/BgwRAlvcAJ936ZTgBcVZ2ej4q9W9nF8YennrewCdE471
Hs7BoaXShTUKJsP3Vn5Y08o=
=zD3y
-----END PGP SIGNATURE-----
Reply to: