Re: XSS in updated packages.debian.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Hi Frank,
Frank Lichtenheld wrote:
> On Tue, Sep 18, 2007 at 08:23:48PM +0200, Moritz Naumann wrote:
>> there's an XSS issue in the updated p.d.o:
>>
>> http://packages.debian.org/content%3D0%3Bjavascript%3Aalert%280%29%3E/http-equiv%3Drefresh/%3Cmeta
>>
>> The '0' which is output could be replaced by encoded text or arbitrary
>> javascript instructions.
>
> Thanks for your report. I have indentified the issue and will try to
> deploy the fix ASAP.
thanks for fixing this so quickly.
I'm not sure if this is related, but the error message at
http://packages.debian.org/sid/xxx
now echoes HTML code (duplicate entity encoding):
No such package.<br><a
href="?lang=en&suite=sid&keywords=xxx">Search for the package</a>
The source code for this is:
<p>No such package.<br><a
href="?lang=en&amp;suite=sid&amp;keywords=xxx">Search for the
package</a></p>
Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFG8XYan6GkvSd/BgwRCnGRAJ9ptPnTpdD/aL7pU8QI4rcgCRhoPACgjDBk
mB2EY67wGPgOnEKM0L3D0ag=
=x0vC
-----END PGP SIGNATURE-----
Reply to: