From: Moritz Naumann <bugs.debian.org@moritz-naumann.com>
Date: Tue, 27 Aug 2013 14:42:49 +0000 (+0200)
Subject: XSS bug in db.debian.org
X-Git-Tag: release-0.3.40~50
X-Git-Url: https://git.adam-barratt.org.uk/?p=mirror%2Fuserdir-ldap-cgi.git;a=commitdiff_plain;h=784c4020017d260775339c1231052ca4eb387f02

XSS bug in db.debian.org

Hi, I just stumbled upon an XSS bug in db.debian.org:

https://db.debian.org/search.cgi?id=%22%3E%3C/a%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E%3Cx%20y=%22&dosearch=Search...

Both the "id" and "authtoken" fields lack input validation.

<zobel> bfly: you can find the code at git.debian.org in userdir-ldap-cgi
<zobel> would be nice if you could send a patch

A (n untested) patch is attached. Please let me know whether it's usable
and whether you are going to apply it.

-- Moritz

Signed-off-by: Martin Zobel-Helas <zobel@debian.org>
---

diff --git a/search.cgi b/search.cgi
index 2757d2f..9a38e3e 100755
--- a/search.cgi
+++ b/search.cgi
@@ -236,7 +236,7 @@ if (!$dosearch) {
     
     # If this is ourselves, present a link to do mods
     if ($auth && ($id eq $data->{uid}->[0])) { #TODO: extract this string into a url for translation...
-      $outsub{searchresults} .= "<a href=\"$proto://$ENV{SERVER_NAME}/$config{webupdateurl}?id=$id&authtoken=$authtoken&editdn=".uri_escape($dn, "\x00-\x40\x7f-\xff")."\">Edit my settings</a>\n";
+      $outsub{searchresults} .= "<a href=\"$proto://$ENV{SERVER_NAME}/$config{webupdateurl}?id=".uri_escape($id)."&authtoken=".uri_escape($authtoken)."&editdn=".uri_escape($dn, "\x00-\x40\x7f-\xff")."\">Edit my settings</a>\n";
     }
     
     $outsub{searchresults} .= "<br><br><br>\n";