oss-sec mailing list archives
Cgit XSS "vulnerability" has no CVE?
From: Peter Bex <peter () more-magic net>
Date: Sat, 5 Mar 2016 18:41:03 +0100
Hi there, I just noticed that cgit versions before v0.12 contain a bug in the "txt2html" filter script: https://git.zx2c4.com/cgit/commit/filters/html-converters/txt2html?id=13c2d3df0440ce04273de3149631a9bd97490c6e It seems this is the mailing list thread in which the fix was posted (unfortunately, the attachment was dropped): https://lists.zx2c4.com/pipermail/cgit/2015-August/002561.html The release notes for v0.12 mention the fix, but there seems to be no CVE for it: https://lists.zx2c4.com/pipermail/cgit/2016-January/002817.html This allows for an XSS attack by anyone with write access: If you can push to a git repository for which the "txt2html" converter is activate, you can create a README or README.txt and insert arbitrary HTML. Please note that the recommended "about-formatting.sh" filter will also allow unfiltered HTML files, Markdown or ReST documents, so that's arguably by design. But it's definitely a surprise for people like myself who would expect all files to be filtered for safe HTML like GitHub or Bitbucket do. And of course, in cases where an administrator tries to add *restricted* README support by allowing only plaintext files through the txt2html filter, this would definitely be undesired. Finally, the about-formatting.sh may be shipped by default, but the default value of the "about-filter" is empty, and it seems that the installation script does *not* supply a default configuration file which could override that, so it has to be explicitly enabled by the user (or the distro's package). Anyway, all in all, I think this is probably worth a CVE because it's so non-obvious. Cheers, Peter Bex
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Cgit XSS "vulnerability" has no CVE? Peter Bex (Mar 05)
- Re: Cgit XSS "vulnerability" has no CVE? Jason A. Donenfeld (Mar 07)
- Re: Cgit XSS "vulnerability" has no CVE? Jason A. Donenfeld (Mar 07)
- Re: Cgit XSS "vulnerability" has no CVE? Peter Bex (Mar 07)
- Re: Cgit XSS "vulnerability" has no CVE? Jason A. Donenfeld (Mar 07)
- Re: Cgit XSS "vulnerability" has no CVE? Peter Bex (Mar 07)