Re: code injection in packages.debian.org

To: Christian Boltz <debian-bugs@cboltz.de>
Cc: debian-www@lists.debian.org
Subject: Re: code injection in packages.debian.org
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Mon, 11 Dec 2006 18:51:34 +0100
Message-id: <[🔎] 20061211175134.GA7093@javifsp.no-ip.org>
Mail-followup-to: Christian Boltz <debian-bugs@cboltz.de>, debian-www@lists.debian.org
In-reply-to: <[🔎] 200612111657.31254@tux.boltz.de.vu>
References: <[🔎] 200612111657.31254@tux.boltz.de.vu>

On Mon, Dec 11, 2006 at 04:57:30PM +0100, Christian Boltz wrote:
> Hello,
> 
>     [please CC me in replies, I'm not subscribed]
> 
> it's easy to do some code injection in packages.debian.org:

This is not code injection, it's cross site-scripting. Given that:

- packages.debian.org does not have any kind of client authentication
- packages.debian.org does not use SSL certificate

this is as much a problem as somebody being able to setup a "fake"
packages.debian.org or do MITM injection.

Not that I wouldn't want to see this fixed but, really, this is as low risk
as it can get. Through XSS no one could retrieve user credentials and no one
should be trusting (in this day an age) the information from a website that
is not signed (through an SSL server-side certificatE).

That being said. I've developed a fix for the download CGI application
(attached). And will submit this as a bug.

Regards

Javier

Index: download.pl
===================================================================
RCS file: /cvs/webwml/packages/cgi-bin/download.pl,v
retrieving revision 1.27
diff -u -r1.27 download.pl
--- download.pl	1 Dec 2006 08:42:27 -0000	1.27
+++ download.pl	11 Dec 2006 17:49:34 -0000
@@ -182,17 +182,28 @@
 
 $file = $input->param('file');
 param_error( "file" ) unless defined $file;
+# Make file fit in a regexp
+param_invalid ("file") if  $file !~ /^[\w\%\.\_\-]+$/;
 @file_components = split('/', $file);
 $filen = pop(@file_components);
 
 $md5sum = $input->param('md5sum');
 param_error( "md5sum" ) unless defined $md5sum;
+# Make md5sum fit in a regexp
+param_invalid ("md5sum") if  $md5sum !~ /^\w{32}$/;
 
 $type = $input->param('type');
 param_error( "type" ) unless defined $type;
+# Make type fit in a regexp
+param_invalid ("type") if  $type !~ /^\w{1,10}$/;
 
 $arch = $input->param('arch');
 param_error( "arch" ) unless defined $arch;
+# Make arch fit in a regexp
+param_invalid ("arch") if  $arch !~ /^[\w\-]{1,10}$/;
+# And also check that it is in the list of supported archs
+param_invalid ("arch") if  ! defined ($arches{$arch});
+
 
 my $arch_string = $arch ne 'all' ? "on $arches{$arch} machines" : "";
 
@@ -340,3 +351,12 @@
     print "<p>If the problem persists, please inform $ENV{SERVER_ADMIN}.</p>\n";
     exit;
 }
+
+sub param_invalid {
+    my $param = shift;
+
+    print "<p>Error: Required parameter \"$param\" does not have a valid content.</p>\n";
+    print "<p>If the problem persists, please inform $ENV{SERVER_ADMIN}.</p>\n";
+    exit;
+}
+

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Cross-site scripting on packages.debian.org
  - From: Richard Atterer <richard@2006.atterer.net>
- Re: code injection in packages.debian.org
  - From: Christian Boltz <debian-bugs@cboltz.de>

References:
- code injection in packages.debian.org
  - From: Christian Boltz <debian-bugs@cboltz.de>

Prev by Date: Vendor update
Next by Date: Bug#402631: packages.debian.org: susceptible to XSS attacks
Previous by thread: code injection in packages.debian.org
Next by thread: Cross-site scripting on packages.debian.org
Index(es):
- Date
- Thread