Hi, On Wednesday 17 October 2012 20:26:15 Paul Wise wrote: > On Thu, Oct 18, 2012 at 8:36 AM, Jasper Noe wrote: > > Hello, the following link contains a redirection to parmacy spam: > >> [redacted] > > That looks like a security issue (XSS) in FusionForge, CCing the relevant > folks.
Thanks for forwarding the report. FusionForge is apparently serving the attachments with the content-type of the file, which in this and other cases would make browsers attempt to display the content instead of forcing a download. Were they being served with the application/octet-stream MIME type, browsers would usually display the download prompt. The given URL is one of many that point to files attached to tickets, and they happen to be an HTML file with the look&feel of alioth. FusionForge maintainers: could you please address this issue and comment on the other ones? If the version in squeeze can't be supported we could remove it, but we can't just get rid of alioth. Regards, -- Raphael Geissert Debian Security Team -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: http://lists.debian.org/[email protected]
