[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#713001: marked as done (http://www.debian.org/mirror/submit does not escape user-entered values in page returned)

Your message dated Sun, 23 Jun 2013 22:25:13 +0200
with message-id <20130623202513.GB14026@toshi>
and subject line Re: Bug#713001: Lack of proper escaping in http://www.debian.org/mirror/submit [Re: Vulnerability]
has caused the Debian Bug report #713001,
regarding http://www.debian.org/mirror/submit does not escape user-entered values in page returned
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
713001: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=713001
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: www.debian.org
Severity: important
Control: retitle -1 http://www.debian.org/mirror/submit does not escape user-entered values in page returned
Control: submitter -1 codie manjot <codiemanjot@gmail.com>
User: www.debian.org@packages.debian.org
Usertags: scripts mirror


On Fri, 21 Jun 2013, codie manjot wrote:
> I Found an non persistent xss in Debian.org. Below i have provided the
> vulnerable link. Please look into it & deploy a fix soon ASAP revert me
> back.
> 
> Vulnerability - Cross site scripting
> Vulnerable Link - http://www.debian.org/mirror/submit

As we mentioned previously, to report bugs against the website, please
file bugs against the www.debian.org package, as I have done with this
e-mail.
 
> POC -
>  - Open the above given vulnerable link
> - Once opened, copy the below given xss script in all the fields on that
> webpage & then click on submit. the malicious javascript was successfully
> injected on the webpage.


-- 
Don Armstrong                      http://www.donarmstrong.com

I always thought
violence didn't solve anything
until one day it did.
 -- a softer world #470
    http://www.asofterworld.com/index.php?id=470

--- End Message ---
--- Begin Message --- 
Hi,

On Fri, Jun 21, 2013 at 02:37:29PM -0700, Don Armstrong wrote:
> Control: tag -1 patch
> 
> On Fri, 21 Jun 2013, codie manjot wrote:
> > POC - - Open the above given vulnerable link - Once opened, copy the
> > below given xss script in all the fields on that webpage & then
> > click on submit. the malicious javascript was successfully injected
> > on the webpage.
> 
> The attached patch fixes this problem.

Thanks for the patch Don, applied.

> As a side note, could we please put the code for the scripts running on
> cgi.debian.org into a publicly accessible VCS repository (ideally git)
> on git.debian.org or similar?

git+ssh://git.debian.org/git/debwww/cgi.git
http://anonscm.debian.org/gitweb/?p=debwww/cgi.git;a=summary

To be updated, a manual 'git pull' must be performed as debwww on
cgi.d.o. 

-- 
Simon Paillard

--- End Message ---
Reply to: