On 13.02.2012 13:33 Mehdi Dogguy wrote: > On 13/02/12 04:48, Moritz Naumann wrote: >> Hi Mehdi, Debian WB-Team, debian-ports.org webadmins, >> >> I just came across this XSS in the pgstatus code and though I'd let >> you know. >> > > Thanks for letting us know! In fact, this XSS is somehow useless since > the <script> is put in a <div> just to tell the user he made a mistake, > and is not used elsewhere.
Hmm, I'm having trouble understanding your argument. Are you saying that because you can inject javascript code 'only' within a <div></div> it's not a problem? Javascript injected anywhere in a website is a problem unless it prevents it from executing, such as in a HTML comment (which you cannot end by starting the injection with '-->' or similar. Yes, you can probably not steal any important information off this site. Still, it's quite useful for phishing, link redirection, malware injection etc. > I agree that this is not so pretty. I've > added a htmlspecialchars call around the user's input but I wonder if I > should just remove the notification that used the malicious input > because it was not very useful anyway. > > Aurélien, can you please apply the last commit to pgstatus's instance on > debian-ports.org? > > Cheers. > Thanks for fixing it. For what it's worth, I first reported this in July 2007 and repeatedly since then, to various contacts, also including other issues. See also rt.debian.org ticket #151. I do know Debian is all volunteer run. Still, also because of the good work the security teams are doing, I had hoped for a better responsiveness (this is 4,5 years now) to such issues. Don't take me wrong, though, I'm happy this did get fixed and I appreciate you doing it. Moritz -- Naumann IT Security Consulting Samariterstr. 16 10247 Berlin Germany Phone +49 (0)30 555 767 75 Fax +49 (0)321 211 915 94 E-Mail [email protected] Web http://moritz-naumann.com GPG http://pool.sks-keyservers.net:11371/pks/lookup?search=0x934500B0 17FE F47E CE81 FC3A 8D6C 85A0 9FA1 A4BD 277F 060C Inhaber: Moritz Naumann · StNr. 22/652/12010 · USt-IdNr. DE266365097 -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
