Re: XSS in pgstatus code

To: mehdi@debian.org
Cc: debian-wb-team@lists.debian.org, wbadm@buildd.debian-ports.org
Subject: Re: XSS in pgstatus code
From: info@moritz-naumann.com
Date: Mon, 13 Feb 2012 23:04:05 +0100
Message-id: <[🔎] 4F3988D5.3010709@moritz-naumann.com>
In-reply-to: <[🔎] 4F39031F.1000606@debian.org>
References: <[🔎] 4F388818.3090104@moritz-naumann.com> <[🔎] 4F39031F.1000606@debian.org>

On 13.02.2012 13:33 Mehdi Dogguy wrote:
> On 13/02/12 04:48, Moritz Naumann wrote:
>> Hi Mehdi, Debian WB-Team, debian-ports.org webadmins,
>>
>> I just came across this XSS in the pgstatus code and though I'd let
>> you know.
>>
> 
> Thanks for letting us know! In fact, this XSS is somehow useless since
> the <script> is put in a <div> just to tell the user he made a mistake,
> and is not used elsewhere. 

Hmm, I'm having trouble understanding your argument. Are you saying that
because you can inject javascript code 'only' within a <div></div> it's
not a problem? Javascript injected anywhere in a website is a problem
unless it prevents it from executing, such as in a HTML comment (which
you cannot end by starting the injection with '-->' or similar. Yes, you
can probably not steal any important information off this site. Still,
it's quite useful for phishing, link redirection, malware injection etc.

> I agree that this is not so pretty. I've
> added a htmlspecialchars call around the user's input but I wonder if I
> should just remove the notification that used the malicious input
> because it was not very useful anyway.
> 
> Aurélien, can you please apply the last commit to pgstatus's instance on 
> debian-ports.org?
> 
> Cheers.
> 

Thanks for fixing it.
For what it's worth, I first reported this in July 2007 and repeatedly
since then, to various contacts, also including other issues. See also
rt.debian.org ticket #151. I do know Debian is all volunteer run. Still,
also because of the good work the security teams are doing,
I had hoped for a better responsiveness (this is 4,5 years now) to such
issues.

Don't take me wrong, though, I'm happy this did get fixed and I
appreciate you doing it.

Moritz
-- 
Naumann IT Security Consulting

Samariterstr. 16
10247 Berlin
Germany

Phone  +49 (0)30  555 767 75
Fax    +49 (0)321 211 915 94
E-Mail info@moritz-naumann.com
Web    http://moritz-naumann.com
GPG    http://pool.sks-keyservers.net:11371/pks/lookup?search=0x934500B0
       17FE F47E CE81 FC3A 8D6C 85A0 9FA1 A4BD 277F 060C

Inhaber: Moritz Naumann · StNr. 22/652/12010 · USt-IdNr. DE266365097

Reply to:

Follow-Ups:
- Re: XSS in pgstatus code
  - From: Philipp Kern <pkern@debian.org>

References:
- XSS in pgstatus code
  - From: Moritz Naumann <bugs.debian.org@moritz-naumann.com>
- Re: XSS in pgstatus code
  - From: Mehdi Dogguy <mehdi@debian.org>

Prev by Date: Give back freecad 0.12.5284-dfsg-3 on mips
Next by Date: Give-Back of libgtk2-perl on mipsel
Previous by thread: Re: XSS in pgstatus code
Next by thread: Re: XSS in pgstatus code
Index(es):
- Date
- Thread