[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Critical Vulnerability on your website!

On Thu, Oct 22, 2015 at 02:22:12PM +0000, Othmane Tamagart wrote:
>HI Debian ,
>I'm 0thm4n@WhiteHatSec , i am a Based-Student security researcher, Certified Pentester & i did a research i've found a Very-High Risk Vulnerability Called XSS ( Cross-site Scripting )
>Vulnerable File : http://cdimage-search.debian.org/?search_area=release&type=simple&query=
>Vulnerable URL + p0c  : http://cdimage-search.debian.org/?search_area=release&type=simple&query=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28%220thm4n%40WhiteHatSecurity%22%29%3B%3E&Search=Search&.cgifields=search_area&.cgifields=type
>POST DATA : "><img src=x onerror=prompt("0thm4nWhiteHatSecurity");>
>Proof-Of-Concept : http://i.imgur.com/uKtglGC.png
>About Vulnerability ( BUG ) : https://en.wikipedia.org/wiki/Cross-site_scripting
>Risk : Security Risk Critical

Hi Othmane,

Thanks very much for your report!

I've just pushed a fix to sanitise input here - please let us know if
you find anything further.

Steve McIntyre, Cambridge, UK.                                steve@einval.com
Google-bait:       http://www.debian.org/CD/free-linux-cd
  Debian does NOT ship free CDs. Please do NOT contact the mailing
  lists asking us to send them to you.

Attachment: signature.asc
Description: Digital signature

Reply to: