On Mon, Dec 11, 2006 at 06:51:34PM +0100, Javier Fernández-Sanguino Peña wrote: > This is not code injection, it's cross site-scripting. Given that: > > - packages.debian.org does not have any kind of client authentication > - packages.debian.org does not use SSL certificate > > this is as much a problem as somebody being able to setup a "fake" > packages.debian.org or do MITM injection.
I beg to differ! This is a very serious problem, as this XSS hole can easily be abused to trick people into downloading fake packages, which means the attacker gets root on their machines. "I'm certain I downloaded this file from packages.d.o, so surely it must be the right one?!" The only thing they need to do to fall victim to this is to go to packages.d.o via a link that the attacker controls. For example, this could be done with a fake posting to bugtraq. Someone, please apply Javier's patch as soon as possible!! http://bugs.debian.org/402631 Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: 888354F7 | \/¯| http://atterer.net | 08A9 7B7D 3D13 3EF2 3D25 D157 79E6 F6DC 8883 54F7 ¯ '` ¯ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
