Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1403356583.1710.8.camel@scapa>
Date: Sat, 21 Jun 2014 15:16:23 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-sec <oss-security@...ts.openwall.com>
Cc: team@...urity.debian.org, Eduard Bloch <edi@....de>
Subject: Re: XSS vulnerability in apt-cacher-ng

On ven., 2014-06-20 at 12:06 +0200, Eduard Bloch wrote:
> Hello Security Team,
> 
> I am sorry to report that one of my packages (with upstream hat on) has
> an XSS attack vulnerability. The way for the attacker to exploit this is
> to redirect the user's browser in a LAN to apt-cacher-ng server (which
> address the attacker has to know) with a manipulated URL. Since the
> location and TCP port of the cacher server are configurable, it's IMHO
> not totally easy to find but is still a good attack vector with insider
> knowledge.

> 
> Here is the proposed fix:
> 
> http://anonscm.debian.org/gitweb/?p=apt-cacher-ng/apt-cacher-ng.git;a=commitdiff;h=6f08e6a3995d1bed4e837889a3945b6dc650f6ad
> 
> It simply doesn't show the path in the browser output, because it has no
> value there. It only needs to be in the http status line in order to be
> displayed in apt-get's messages, there is no need for users to visit
> such an URL and see that message.
> 
Hi,

it seems there is an XSS vulnerability present in apt-cacher-ng.
According to above text the issue looks minime, but I guess it still can
do with a CVE, could one be allocated?

Regards,
-- 
Yves-Alexis

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.