[Popcon-developers] possible XSS issues in popcon server
Bill Allombert
ballombe at debian.org
Sat Mar 21 13:42:01 UTC 2015
Dear popularity-contest server admins,
Paul Wise found an input validation issue in the example scripts
shipped with popularity-contest.
In his own word:
The example scripts for running a popcon server do not escape
architecture and popularity-contest version number values before putting
them on the popcon website, which means that a malicious popcon
submitter could inject arbitrary HTML into the popcon website.
The injected HTML could include everything from advertising to
JavaScript code attempting to steal authentication cookies for other
subdomains in the same top-level domain.
The vulnerable HTML files are generated by the script popcon.pl.
However, it seems safer to reject such reports outright in the script
prepop.pl. The attached patch does that.
The patch has been applied to the official popcon.debian.org.
If you generate a website from popcon data, we encourage you to check for this
issue.
Sorry for the inconvenience,
Cheers,
--
Bill. <ballombe at debian.org>
Imagine a large red swirl here.
-------------- next part --------------
diff --git a/examples/bin/prepop.pl b/examples/bin/prepop.pl
index c2c4fb5..96cf3a8 100755
--- a/examples/bin/prepop.pl
+++ b/examples/bin/prepop.pl
@@ -29,8 +29,14 @@ sub get_report
return 'reject';
}
$id=$1; #untaint $id
+ $arch=$field{'ARCH'};
+ if (defined($arch) && $arch !~ /^[0-9A-Za-z-]*$/)
+ {
+ print STDERR "Report rejected: $arch: $id\n";
+ return 'reject';
+ }
$vers=$field{'POPCONVER'};
- if (defined($vers) && $vers =~ /^1\.56ubuntu1/)
+ if (defined($vers) && ($vers =~ /^1\.56ubuntu1/ || $vers !~ /^[0-9A-Za-z.+~:-]*$/))
{
print STDERR "Report rejected: $vers: $id\n";
return 'reject';
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/popcon-developers/attachments/20150321/ac6d9347/attachment.sig>
More information about the Popcon-developers
mailing list