Your message dated Tue, 30 Mar 2004 23:55:31 -0800
with message-id <[EMAIL PROTECTED]>
and subject line Bug#240675: www.debian.org: redirect.pl wide open and fools
people
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 28 Mar 2004 17:05:22 +0000
>From [EMAIL PROTECTED] Sun Mar 28 09:05:22 2004
Return-path: <[EMAIL PROTECTED]>
Received: from smop.xs4all.nl (localhost) [213.84.68.234]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1B7dis-0003Q6-00; Sun, 28 Mar 2004 09:05:22 -0800
Received: by localhost (Postfix, from userid 1000)
id F04E37FCBE; Sun, 28 Mar 2004 19:05:30 +0200 (CEST)
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Bart Schuller <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: www.debian.org: redirect.pl wide open and fools people
X-Mailer: reportbug 2.55
Date: Sun, 28 Mar 2004 19:05:30 +0200
Message-Id: <[EMAIL PROTECTED]>
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
Package: www.debian.org
Severity: normal
As can be seen in http://slashdot.org/comments.pl?sid=102006&cid=8695895
the redirect.pl script on cgi.debian.org can be abused. Note that it
didn't work in galeon, but I expect this will be different for people
using Windows.
Perhaps some sort of referrer check is in order?
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.4
Locale: LANG=C, LC_CTYPE=en_US
---------------------------------------
Received: (at 240675-done) by bugs.debian.org; 31 Mar 2004 07:51:56 +0000
>From [EMAIL PROTECTED] Tue Mar 30 23:51:56 2004
Return-path: <[EMAIL PROTECTED]>
Received: from zoot.lafn.org [206.117.18.6]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1B8aVw-0000sC-00; Tue, 30 Mar 2004 23:51:56 -0800
Received: from catalunya (host-66-81-28-109.rev.o1.com [66.81.28.109])
by zoot.lafn.org (8.12.3p3/8.12.3) with ESMTP id i2V7prVX008114
(version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO);
Tue, 30 Mar 2004 23:51:54 -0800 (PST)
(envelope-from [EMAIL PROTECTED])
Received: from kraai by catalunya with local (Exim 4.30)
id 1B8aZP-0000GO-Sk; Tue, 30 Mar 2004 23:55:31 -0800
Date: Tue, 30 Mar 2004 23:55:31 -0800
From: Matt Kraai <[EMAIL PROTECTED]>
To: Frank Lichtenheld <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
Cc: Bart Schuller <[EMAIL PROTECTED]>
Subject: Re: Bug#240675: www.debian.org: redirect.pl wide open and fools people
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
User-Agent: Mutt/1.5.5.1+cvs20040105i
Sender: Matt Kraai <[EMAIL PROTECTED]>
X-Virus-Scanned: ClamAV version 'clamd / ClamAV version devel-20040209',
clamav-milter version '0.66m'
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-4.0 required=4.0 tests=BAYES_20,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-Spam-Level:
On Tue, Mar 30, 2004 at 02:53:57PM +0200, Frank Lichtenheld wrote:
> tags 240675 patch
> thanks
>
> On Sun, Mar 28, 2004 at 07:05:30PM +0200, Bart Schuller wrote:
> > As can be seen in http://slashdot.org/comments.pl?sid=102006&cid=8695895
> > the redirect.pl script on cgi.debian.org can be abused. Note that it
> > didn't work in galeon, but I expect this will be different for people
> > using Windows.
> >
> > Perhaps some sort of referrer check is in order?
>
> This has been pointed out before (like a week ago or so).
> A patch for it by me can be found at:
> http://lists.debian.org/debian-www/2004/debian-www-200403/msg00202.html
>
> Can anyone of the webmasters please investigate this?
Applied, thanks for the patch.
--
Matt Kraai [EMAIL PROTECTED] http://ftbfs.org/
