oss-sec mailing list archives
Re: Security issue in gitweb
From: Josh Bressers <bressers () redhat com>
Date: Mon, 6 Jun 2011 13:36:25 -0400 (EDT)
Please use CVE-2011-2186 for this. Thanks. -- JB ----- Original Message -----
A security bug was reported by 'dave b' (in CC) against gitweb in Ubuntu. You are being emailed as the upstream contact. Please keep oss-security[1] CC'd for any updates on this issue. This issue should be considered public, but has not yet been assigned a CVE. Once a CVE is assigned, please mention it in any changelogs. Details from the public bug follow: https://launchpad.net/bugs/777804 From the reporter: ---- I am reporting a persistent xss vector in gitweb, note this requires a user to have commit access to a repository that gitweb is configured to display. The vector is the fact that gitweb "serves" up xml files - which can (just as gitweb does) embed html that could be used to perform a cross-site scripting attack. e.g. (lol.xml). <?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US" lang="en-US"> <head> </head> <script>alert(1);</script> </html> and viewed at http://$HOSTNAME/$PATH_TO_GITWEB/?p=lolok;a=blob_plain;f=lol.xml ---- Thanks in advance for your cooperation in coordinating a fix for this issue, Jamie Strandboge [1] oss-security () lists openwall com is a public mailing list for people to collaborate on security vulnerabilities and coordinate security updates. -- Jamie Strandboge | http://www.canonical.com
Current thread:
- Security issue in gitweb Jamie Strandboge (Jun 03)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 03)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files dave b (Jun 03)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 04)
- Re: Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Ludwig Nussel (Jun 14)
- Re: [CVE-2011-2186] XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 14)
- Re: [CVE-2011-2186] XSS security issue in gitweb for 'blob_plain' view with HTML files Ludwig Nussel (Jun 14)
- [CVE-2011-2186] [PATCH] gitweb: Enable $prevent_xss by default Jakub Narebski (Jun 14)
- Re: XSS security issue in gitweb for 'blob_plain' view with HTML files Jakub Narebski (Jun 03)