FS#28515 - XSS seemingly possible through the AUR, with package names.
Attached to Project:
AUR web interface
Opened by Samuel Dionne-Riel (samueldr) - Sunday, 19 February 2012, 02:12 GMT
Last edited by Lukas Fleischer (lfleischer) - Sunday, 19 February 2012, 16:19 GMT
Opened by Samuel Dionne-Riel (samueldr) - Sunday, 19 February 2012, 02:12 GMT
Last edited by Lukas Fleischer (lfleischer) - Sunday, 19 February 2012, 16:19 GMT
|
Details
XSS seemingly possible through the AUR.
Here is URL of the previously submitted package. http://aur.archlinux.org/packages.php?ID=56790 The used vector was the package name. |
This task depends upon
Closed by Lukas Fleischer (lfleischer)
Sunday, 19 February 2012, 16:19 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in master. Cherry-picked that patch on sigurd.
Sunday, 19 February 2012, 16:19 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in master. Cherry-picked that patch on sigurd.
I accidentally pressed enter in another field.
It loaded an external script through a <script> tag.
I do not have the wget -O- dump anymore, inadvertently closed the terminal while a moderator deleted the offending package.
The script used was only a location.href though, but it could have been much much worse.
packages.php?ID=56793
They are too affected.
Now the main page is affected.
@Lukas: I only modified the lighttpd.conf; you'll find a backup in the same dir.
[1] http://mailman.archlinux.org/pipermail/aur-dev/2012-February/001961.html
/usr/lib/yaourt/aur.sh:
#local pkgurl=$(pkgquery -Aif "%u" "$pkg")
- local pkgurl="$AURURL/packages/$pkg/$pkg.tar.gz"
+ local pkgurl="$AURURL/packages/${pkg:0:2}/$pkg/$pkg.tar.gz"
if [[ ! "$pkgurl" ]] || ! curl_fetch -fs "$pkgurl" -o "$pkg.tar.gz"; then