Package: debbugs Version: n/a Severity: important Tags: security
Hi!
Am Samstag, den 01.11.2008, 17:47 +0100 schrieb Moritz Naumann:
> I just realized there's a cross site scripting issue on bugs.debian.org,
> which you migth like to fix.
>
> http://bugs.debian.org/cgi-bin/pkgreport.cgi?src=%22%3E%3Cscript%3Ealert(%27Oops.%27)%3C/script%3E%3Cx%20y=%22
Confirmed.
> I know it's not your domain, but I'd like to point out that another XSS
> and some other issue (which may range from info disclosure to DoS) has
> been around on buildd.debian.org for a long time, first reported in Aug
> 2007, with reminders sent in June this year, and still unfixed.
>
> Since, so far, there has apparently not been enough need to fix it,
> here's these URLs on a public mailing list now.
>
> http://buildd.debian.org/build.php?pkg=%3Cscript%3Ealert(0)%3C/script%3E
> http://buildd.debian.org/build.php?&pkg=at&arch=%3Cscript%3Ealert(0)%3C/script%3E
>
> Let me know if you need any help fixing these.
Hmm, I'm not too sure if there is a (pseudo) package that this bug
could get cloned to for that, best thing propably would be to open a
ticket in RT.debian.org about it, but I'm not too sure in which queue?
Maybe someone else knows where to address this best these days ...
Thanks,
Rhonda
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
