Re: abuse

To: Paul Wise <pabs@debian.org>
Cc: Jasper Noe <rjnoe@xs4all.nl>, debian-www@lists.debian.org, security@debian.org, admin@alioth.debian.org, fusionforge@packages.debian.org
Subject: Re: abuse
From: Raphael Geissert <geissert@debian.org>
Date: Wed, 17 Oct 2012 21:28:52 -0500
Message-id: <[🔎] 201210172128.53539.geissert@debian.org>
In-reply-to: <[🔎] CAKTje6F213ioeVoHsQa6LrcHkkX16pXutSzr=6YEwuAZdi2ZfA@mail.gmail.com>
References: <[🔎] 507F4EF3.4050702@xs4all.nl> <[🔎] CAKTje6F213ioeVoHsQa6LrcHkkX16pXutSzr=6YEwuAZdi2ZfA@mail.gmail.com>

Hi,

On Wednesday 17 October 2012 20:26:15 Paul Wise wrote:
> On Thu, Oct 18, 2012 at 8:36 AM, Jasper Noe wrote:
> > Hello, the following link contains a redirection to parmacy spam:
> >> [redacted]
> 
> That looks like a security issue (XSS) in FusionForge, CCing the relevant
> folks.

Thanks for forwarding the report.

FusionForge is apparently serving the attachments with the content-type of 
the file, which in this and other cases would make browsers attempt to 
display the content instead of forcing a download.
Were they being served with the application/octet-stream MIME type, browsers 
would usually display the download prompt.

The given URL is one of many that point to files attached to tickets, and 
they happen to be an HTML file with the look&feel of alioth.

FusionForge maintainers: could you please address this issue and comment on 
the other ones?
If the version in squeeze can't be supported we could remove it, but we 
can't just get rid of alioth.

Regards,
-- 
Raphael Geissert
Debian Security Team

Reply to:

References:
- abuse
  - From: Jasper Noe <rjnoe@xs4all.nl>
- Re: abuse
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: abuse
Next by Date: Bug#354432: w.d.o: Incorrect Quote in paragraphs with different language
Previous by thread: Re: abuse
Next by thread: Bug#354432: w.d.o: Incorrect Quote in paragraphs with different language
Index(es):
- Date
- Thread