On Thu, Oct 22, 2015 at 02:22:12PM +0000, Othmane Tamagart wrote: >HI Debian , > >I'm 0thm4n@WhiteHatSec , i am a Based-Student security researcher, Certified Pentester & i did a research i've found a Very-High Risk Vulnerability Called XSS ( Cross-site Scripting ) > >Vulnerable File : http://cdimage-search.debian.org/?search_area=release&type=simple&query= > >Vulnerable URL + p0c : http://cdimage-search.debian.org/?search_area=release&type=simple&query=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28%220thm4n%40WhiteHatSecurity%22%29%3B%3E&Search=Search&.cgifields=search_area&.cgifields=type > >POST DATA : "><img src=x onerror=prompt("0thm4nWhiteHatSecurity");> > >Proof-Of-Concept : http://i.imgur.com/uKtglGC.png > >About Vulnerability ( BUG ) : https://en.wikipedia.org/wiki/Cross-site_scripting > >Risk : Security Risk Critical Hi Othmane, Thanks very much for your report! I've just pushed a fix to sanitise input here - please let us know if you find anything further. -- Steve McIntyre, Cambridge, UK. steve@einval.com Google-bait: http://www.debian.org/CD/free-linux-cd Debian does NOT ship free CDs. Please do NOT contact the mailing lists asking us to send them to you.
Attachment:
signature.asc
Description: Digital signature