Your message dated Tue, 30 Mar 2004 23:55:31 -0800 with message-id <[EMAIL PROTECTED]> and subject line Bug#240675: www.debian.org: redirect.pl wide open and fools people has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 28 Mar 2004 17:05:22 +0000 >From [EMAIL PROTECTED] Sun Mar 28 09:05:22 2004 Return-path: <[EMAIL PROTECTED]> Received: from smop.xs4all.nl (localhost) [213.84.68.234] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1B7dis-0003Q6-00; Sun, 28 Mar 2004 09:05:22 -0800 Received: by localhost (Postfix, from userid 1000) id F04E37FCBE; Sun, 28 Mar 2004 19:05:30 +0200 (CEST) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Bart Schuller <[EMAIL PROTECTED]> To: Debian Bug Tracking System <[EMAIL PROTECTED]> Subject: www.debian.org: redirect.pl wide open and fools people X-Mailer: reportbug 2.55 Date: Sun, 28 Mar 2004 19:05:30 +0200 Message-Id: <[EMAIL PROTECTED]> Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_00,HAS_PACKAGE autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: Package: www.debian.org Severity: normal As can be seen in http://slashdot.org/comments.pl?sid=102006&cid=8695895 the redirect.pl script on cgi.debian.org can be abused. Note that it didn't work in galeon, but I expect this will be different for people using Windows. Perhaps some sort of referrer check is in order? -- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.4 Locale: LANG=C, LC_CTYPE=en_US --------------------------------------- Received: (at 240675-done) by bugs.debian.org; 31 Mar 2004 07:51:56 +0000 >From [EMAIL PROTECTED] Tue Mar 30 23:51:56 2004 Return-path: <[EMAIL PROTECTED]> Received: from zoot.lafn.org [206.117.18.6] by spohr.debian.org with esmtp (Exim 3.35 1 (Debian)) id 1B8aVw-0000sC-00; Tue, 30 Mar 2004 23:51:56 -0800 Received: from catalunya (host-66-81-28-109.rev.o1.com [66.81.28.109]) by zoot.lafn.org (8.12.3p3/8.12.3) with ESMTP id i2V7prVX008114 (version=TLSv1/SSLv3 cipher=RC4-SHA bits=128 verify=NO); Tue, 30 Mar 2004 23:51:54 -0800 (PST) (envelope-from [EMAIL PROTECTED]) Received: from kraai by catalunya with local (Exim 4.30) id 1B8aZP-0000GO-Sk; Tue, 30 Mar 2004 23:55:31 -0800 Date: Tue, 30 Mar 2004 23:55:31 -0800 From: Matt Kraai <[EMAIL PROTECTED]> To: Frank Lichtenheld <[EMAIL PROTECTED]>, [EMAIL PROTECTED] Cc: Bart Schuller <[EMAIL PROTECTED]> Subject: Re: Bug#240675: www.debian.org: redirect.pl wide open and fools people Message-ID: <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <[EMAIL PROTECTED]> User-Agent: Mutt/1.5.5.1+cvs20040105i Sender: Matt Kraai <[EMAIL PROTECTED]> X-Virus-Scanned: ClamAV version 'clamd / ClamAV version devel-20040209', clamav-milter version '0.66m' Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Status: No, hits=-4.0 required=4.0 tests=BAYES_20,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2004_03_25 X-Spam-Level: On Tue, Mar 30, 2004 at 02:53:57PM +0200, Frank Lichtenheld wrote: > tags 240675 patch > thanks > > On Sun, Mar 28, 2004 at 07:05:30PM +0200, Bart Schuller wrote: > > As can be seen in http://slashdot.org/comments.pl?sid=102006&cid=8695895 > > the redirect.pl script on cgi.debian.org can be abused. Note that it > > didn't work in galeon, but I expect this will be different for people > > using Windows. > > > > Perhaps some sort of referrer check is in order? > > This has been pointed out before (like a week ago or so). > A patch for it by me can be found at: > http://lists.debian.org/debian-www/2004/debian-www-200403/msg00202.html > > Can anyone of the webmasters please investigate this? Applied, thanks for the patch. -- Matt Kraai [EMAIL PROTECTED] http://ftbfs.org/