[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: code injection in packages.debian.org

On Mon, Dec 11, 2006 at 04:57:30PM +0100, Christian Boltz wrote:
> Hello,
>     [please CC me in replies, I'm not subscribed]
> it's easy to do some code injection in packages.debian.org:

This is not code injection, it's cross site-scripting. Given that:

- packages.debian.org does not have any kind of client authentication
- packages.debian.org does not use SSL certificate

this is as much a problem as somebody being able to setup a "fake"
packages.debian.org or do MITM injection.

Not that I wouldn't want to see this fixed but, really, this is as low risk
as it can get. Through XSS no one could retrieve user credentials and no one
should be trusting (in this day an age) the information from a website that
is not signed (through an SSL server-side certificatE).

That being said. I've developed a fix for the download CGI application
(attached). And will submit this as a bug.


Index: download.pl
RCS file: /cvs/webwml/packages/cgi-bin/download.pl,v
retrieving revision 1.27
diff -u -r1.27 download.pl
--- download.pl	1 Dec 2006 08:42:27 -0000	1.27
+++ download.pl	11 Dec 2006 17:49:34 -0000
@@ -182,17 +182,28 @@
 $file = $input->param('file');
 param_error( "file" ) unless defined $file;
+# Make file fit in a regexp
+param_invalid ("file") if  $file !~ /^[\w\%\.\_\-]+$/;
 @file_components = split('/', $file);
 $filen = pop(@file_components);
 $md5sum = $input->param('md5sum');
 param_error( "md5sum" ) unless defined $md5sum;
+# Make md5sum fit in a regexp
+param_invalid ("md5sum") if  $md5sum !~ /^\w{32}$/;
 $type = $input->param('type');
 param_error( "type" ) unless defined $type;
+# Make type fit in a regexp
+param_invalid ("type") if  $type !~ /^\w{1,10}$/;
 $arch = $input->param('arch');
 param_error( "arch" ) unless defined $arch;
+# Make arch fit in a regexp
+param_invalid ("arch") if  $arch !~ /^[\w\-]{1,10}$/;
+# And also check that it is in the list of supported archs
+param_invalid ("arch") if  ! defined ($arches{$arch});
 my $arch_string = $arch ne 'all' ? "on $arches{$arch} machines" : "";
@@ -340,3 +351,12 @@
     print "<p>If the problem persists, please inform $ENV{SERVER_ADMIN}.</p>\n";
+sub param_invalid {
+    my $param = shift;
+    print "<p>Error: Required parameter \"$param\" does not have a valid content.</p>\n";
+    print "<p>If the problem persists, please inform $ENV{SERVER_ADMIN}.</p>\n";
+    exit;

Attachment: signature.asc
Description: Digital signature

Reply to: