[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: abuse


On Wednesday 17 October 2012 20:26:15 Paul Wise wrote:
> On Thu, Oct 18, 2012 at 8:36 AM, Jasper Noe wrote:
> > Hello, the following link contains a redirection to parmacy spam:
> >> [redacted]
> That looks like a security issue (XSS) in FusionForge, CCing the relevant
> folks.

Thanks for forwarding the report.

FusionForge is apparently serving the attachments with the content-type of 
the file, which in this and other cases would make browsers attempt to 
display the content instead of forcing a download.
Were they being served with the application/octet-stream MIME type, browsers 
would usually display the download prompt.

The given URL is one of many that point to files attached to tickets, and 
they happen to be an HTML file with the look&feel of alioth.

FusionForge maintainers: could you please address this issue and comment on 
the other ones?
If the version in squeeze can't be supported we could remove it, but we 
can't just get rid of alioth.

Raphael Geissert
Debian Security Team

Reply to: