Package: src:dtc Version: 0.32.10-2 Severity: grave Tags: security upstream
dtc does not escape variables in HTML output in many places. An example is the "Domain root TXT record:" field on the "DNS and MX" page where it is possible to enter values such as This is fun."><strong>Isn't it?</strong><input type="hidden In combination with JavaScript and asking the admin to visit the page under some pretense this can probably give interesting results. Ansgar -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
