Re: XSS in updated packages.debian.org
On Tue, Sep 18, 2007 at 08:23:48PM +0200, Moritz Naumann wrote:
> there's an XSS issue in the updated p.d.o:
>
> http://packages.debian.org/content%3D0%3Bjavascript%3Aalert%280%29%3E/http-equiv%3Drefresh/%3Cmeta
>
> The '0' which is output could be replaced by encoded text or arbitrary
> javascript instructions.
Thanks for your report. I have indentified the issue and will try to
deploy the fix ASAP.
Gruesse,
--
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/
Reply to: