[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: XSS in pgstatus code

On 13.02.2012 13:33 Mehdi Dogguy wrote:
> On 13/02/12 04:48, Moritz Naumann wrote:
>> Hi Mehdi, Debian WB-Team, debian-ports.org webadmins,
>> I just came across this XSS in the pgstatus code and though I'd let
>> you know.
> Thanks for letting us know! In fact, this XSS is somehow useless since
> the <script> is put in a <div> just to tell the user he made a mistake,
> and is not used elsewhere. 

Hmm, I'm having trouble understanding your argument. Are you saying that
because you can inject javascript code 'only' within a <div></div> it's
not a problem? Javascript injected anywhere in a website is a problem
unless it prevents it from executing, such as in a HTML comment (which
you cannot end by starting the injection with '-->' or similar. Yes, you
can probably not steal any important information off this site. Still,
it's quite useful for phishing, link redirection, malware injection etc.

> I agree that this is not so pretty. I've
> added a htmlspecialchars call around the user's input but I wonder if I
> should just remove the notification that used the malicious input
> because it was not very useful anyway.
> Aurélien, can you please apply the last commit to pgstatus's instance on 
> debian-ports.org?
> Cheers.

Thanks for fixing it.
For what it's worth, I first reported this in July 2007 and repeatedly
since then, to various contacts, also including other issues. See also
rt.debian.org ticket #151. I do know Debian is all volunteer run. Still,
also because of the good work the security teams are doing,
I had hoped for a better responsiveness (this is 4,5 years now) to such

Don't take me wrong, though, I'm happy this did get fixed and I
appreciate you doing it.

Naumann IT Security Consulting

Samariterstr. 16
10247 Berlin

Phone  +49 (0)30  555 767 75
Fax    +49 (0)321 211 915 94
E-Mail info@moritz-naumann.com
Web    http://moritz-naumann.com
GPG    http://pool.sks-keyservers.net:11371/pks/lookup?search=0x934500B0
       17FE F47E CE81 FC3A 8D6C 85A0 9FA1 A4BD 277F 060C

Inhaber: Moritz Naumann · StNr. 22/652/12010 · USt-IdNr. DE266365097

Reply to: