Re: Security issue in gitweb

[Josh Bressers <bressers () redhat com>]

Please use CVE-2011-2186 for this.

Thanks.

-- 
    JB


----- Original Message -----
> A security bug was reported by 'dave b' (in CC) against gitweb in
> Ubuntu. You are being emailed as the upstream contact. Please keep
> oss-security[1] CC'd for any updates on this issue.
>
> This issue should be considered public, but has not yet been assigned
> a
> CVE. Once a CVE is assigned, please mention it in any changelogs.
>
> Details from the public bug follow:
> https://launchpad.net/bugs/777804
>
> From the reporter:
> ----
> I am reporting a persistent xss vector in gitweb, note this requires a
> user to have commit access to a repository that gitweb is configured
> to display. The vector is the fact that gitweb "serves" up xml files -
> which can (just as gitweb does) embed html that could be used to
> perform a cross-site scripting attack.
>
> e.g. (lol.xml).
> <?xml version="1.0" encoding="utf-8"?>
> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
> <html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en-US"
> lang="en-US">
> <head>
> </head>
> <script>alert(1);</script>
> </html>
>
> and viewed at
> http://$HOSTNAME/$PATH_TO_GITWEB/?p=lolok;a=blob_plain;f=lol.xml
> ----
>
> Thanks in advance for your cooperation in coordinating a fix for this
> issue,
>
> Jamie Strandboge
>
> [1] oss-security () lists openwall com is a public mailing list for
> people to collaborate on security vulnerabilities and coordinate
> security updates.
>
> --
> Jamie Strandboge | http://www.canonical.com