XSS in updated packages.debian.org

To: debian-www@lists.debian.org
Subject: XSS in updated packages.debian.org
From: Moritz Naumann <security@moritz-naumann.com>
Date: Tue, 18 Sep 2007 20:23:48 +0200
Message-id: <[🔎] 46F017B4.7030107@moritz-naumann.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi,

there's an XSS issue in the updated p.d.o:

http://packages.debian.org/content%3D0%3Bjavascript%3Aalert%280%29%3E/http-equiv%3Drefresh/%3Cmeta

The '0' which is output could be replaced by encoded text or arbitrary
javascript instructions.

Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG8Be0n6GkvSd/BgwRCrjLAJ9VwLWJJWxBKn2XMEcEt0MBU16ObgCggI4l
C0i9uvn/q1uJrUwYkf9oFZo=
=TtSf
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: XSS in updated packages.debian.org
  - From: Frank Lichtenheld <djpig@debian.org>

Prev by Date: Bug#443093: p.d.o: Suggested restriction on package search
Next by Date: Re: XSS in updated packages.debian.org
Previous by thread: Bug#443093: p.d.o: Suggested restriction on package search
Next by thread: Re: XSS in updated packages.debian.org
Index(es):
- Date
- Thread