Re: XSS in updated packages.debian.org

To: debian-www@lists.debian.org
Subject: Re: XSS in updated packages.debian.org
From: Moritz Naumann <security@moritz-naumann.com>
Date: Wed, 19 Sep 2007 21:18:50 +0200
Message-id: <[🔎] 46F1761A.9070505@moritz-naumann.com>
In-reply-to: <[🔎] 20070918211314.GA25573@planck.djpig.de>
References: <[🔎] 46F017B4.7030107@moritz-naumann.com> <[🔎] 20070918211314.GA25573@planck.djpig.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Frank,

Frank Lichtenheld wrote:
> On Tue, Sep 18, 2007 at 08:23:48PM +0200, Moritz Naumann wrote:
>> there's an XSS issue in the updated p.d.o:
>>
>> http://packages.debian.org/content%3D0%3Bjavascript%3Aalert%280%29%3E/http-equiv%3Drefresh/%3Cmeta
>>
>> The '0' which is output could be replaced by encoded text or arbitrary
>> javascript instructions.
> 
> Thanks for your report. I have indentified the issue and will try to
> deploy the fix ASAP.

thanks for fixing this so quickly.

I'm not sure if this is related, but the error message at
http://packages.debian.org/sid/xxx
now echoes HTML code (duplicate entity encoding):

No such package.<br><a
href="?lang=en&amp;suite=sid&amp;keywords=xxx">Search for the package</a>

The source code for this is:
<p>No such package.&lt;br&gt;&lt;a
href="?lang=en&amp;amp;suite=sid&amp;amp;keywords=xxx"&gt;Search for the
package&lt;/a&gt;</p>

Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFG8XYan6GkvSd/BgwRCnGRAJ9ptPnTpdD/aL7pU8QI4rcgCRhoPACgjDBk
mB2EY67wGPgOnEKM0L3D0ag=
=x0vC
-----END PGP SIGNATURE-----

Reply to:

References:
- XSS in updated packages.debian.org
  - From: Moritz Naumann <security@moritz-naumann.com>
- Re: XSS in updated packages.debian.org
  - From: Frank Lichtenheld <djpig@debian.org>

Prev by Date: Re: Become a CD Vendor
Next by Date: Wishlist for the CD Vendor submission page
Previous by thread: Re: XSS in updated packages.debian.org
Next by thread: Wishlist for the CD Vendor submission page
Index(es):
- Date
- Thread