Re: XSS in pgstatus code
On 13.02.2012 13:33 Mehdi Dogguy wrote:
> On 13/02/12 04:48, Moritz Naumann wrote:
>> Hi Mehdi, Debian WB-Team, debian-ports.org webadmins,
>> I just came across this XSS in the pgstatus code and though I'd let
>> you know.
> Thanks for letting us know! In fact, this XSS is somehow useless since
> the <script> is put in a <div> just to tell the user he made a mistake,
> and is not used elsewhere.
Hmm, I'm having trouble understanding your argument. Are you saying that
unless it prevents it from executing, such as in a HTML comment (which
you cannot end by starting the injection with '-->' or similar. Yes, you
can probably not steal any important information off this site. Still,
it's quite useful for phishing, link redirection, malware injection etc.
> I agree that this is not so pretty. I've
> added a htmlspecialchars call around the user's input but I wonder if I
> should just remove the notification that used the malicious input
> because it was not very useful anyway.
> Aurélien, can you please apply the last commit to pgstatus's instance on
Thanks for fixing it.
For what it's worth, I first reported this in July 2007 and repeatedly
since then, to various contacts, also including other issues. See also
rt.debian.org ticket #151. I do know Debian is all volunteer run. Still,
also because of the good work the security teams are doing,
I had hoped for a better responsiveness (this is 4,5 years now) to such
Don't take me wrong, though, I'm happy this did get fixed and I
appreciate you doing it.
Naumann IT Security Consulting
Phone +49 (0)30 555 767 75
Fax +49 (0)321 211 915 94
17FE F47E CE81 FC3A 8D6C 85A0 9FA1 A4BD 277F 060C
Inhaber: Moritz Naumann · StNr. 22/652/12010 · USt-IdNr. DE266365097