On Sat, 27 Sep 2014, Vlad Constantin wrote: > I'll add to this bug instead of making a new one. > > /cgi-bin/cookies.cgi contains XSS (persistent via cookie) and Header > injection vulnerabilities in vars repeatmerged, terse, reverse, trim, > oldview > > XSS PoC: > https://bugs.debian.org/cgi-bin/cookies.cgi?repeatmerged=%3Cscript%3Ealert('xss')%3B%3C/script%3E > Header injection PoC: > https://bugs.debian.org/cgi-bin/cookies.cgi?repeatmerged=%0aLocation%3A%20http%3A%2F%2Fgoogle.com%2F%0a
Thanks for reporting these; those scripts probably shouldn't even be in use at all. I've already removed them from bugs.debian.org, and I'll probably eliminate them from git shortly. -- Don Armstrong http://www.donarmstrong.com "There's no problem so large it can't be solved by killing the user off, deleting their files, closing their account and reporting their REAL earnings to the IRS." -- The B.O.F.H.. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
