I was just made aware, that http://packages.debian.org/cgi-bin/download.pl is very liberate in putting arbitrary stuff in the website, try for example:
http://packages.debian.org/cgi-bin/download.pl?arch=i386&file=";></a><javascript><a href="&md5sum=<br><b>ups</b>&type=main I think it should really only let characters save for filename (Debian packages are [A-Za-z0-9_.+~:-] I think) through for files and best ommit the md5sum completely if it is that easy to fake. Hochachtungsvoll, Bernhard R. Link -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
