Package: www.debian.org Severity: important Control: retitle -1 http://www.debian.org/mirror/submit does not escape user-entered values in page returned Control: submitter -1 codie manjot <codieman...@gmail.com> User: www.debian....@packages.debian.org Usertags: scripts mirror
On Fri, 21 Jun 2013, codie manjot wrote: > I Found an non persistent xss in Debian.org. Below i have provided the > vulnerable link. Please look into it & deploy a fix soon ASAP revert me > back. > > Vulnerability - Cross site scripting > Vulnerable Link - http://www.debian.org/mirror/submit As we mentioned previously, to report bugs against the website, please file bugs against the www.debian.org package, as I have done with this e-mail. > POC - > - Open the above given vulnerable link > - Once opened, copy the below given xss script in all the fields on that > webpage & then click on submit. the malicious javascript was successfully > injected on the webpage. -- Don Armstrong http://www.donarmstrong.com I always thought violence didn't solve anything until one day it did. -- a softer world #470 http://www.asofterworld.com/index.php?id=470 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
