oss-sec mailing list archives
Re: CVE Request: cgit directory traversal
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 27 May 2013 08:30:55 -0400 (EDT)
Thank you for the report, Jason.
Hi Kurt, As mentioned in early messages to oss-sec, I've inherited maintainership of the cgit codebase and am gradually auditing it. Today I found a nasty directory traversal: http://somehost/?url=/somerepo/about/../../../../etc/passwd This should be pretty straightforward to categorize. Exploitation looks like: http://data.zx2c4.com/cgit-directory-traversal.png I've committed a fix for it here: http://git.zx2c4.com/cgit/commit/?h=wip&id=babf94e04e74123eb658a823213c062663cdadd6
That patch doesn't seem to be applicable to cgit-0.9.1 version yet (there doesn't seem to be cgit_parse_readme() routine yet). Can you provide a patch that would apply against v0.9.1 version too? Or would this be just problem of master branch code? Thank you && Regards, Jan. -- Jan iankko Lieskovsky / Red Hat Security Response Team
And this fix will be in the master branch and a new release will be made soon. Cgit by default is not vulnerable to this, and the vulnerability only exists when a user has configured cgit to use a readme file from a filesystem filepath instead of from the git repo itself. Until a release is made, administrators are urged to disable reading the readme file from a filepath, if currently enabled. Thanks, Jason
Current thread:
- CVE Request: cgit directory traversal Jason A. Donenfeld (May 25)
- Re: CVE Request: cgit directory traversal Jan Lieskovsky (May 27)
- Re: CVE Request: cgit directory traversal Kurt Seifried (May 27)
- Re: CVE Request: cgit directory traversal Jason A. Donenfeld (May 27)
- Re: CVE Request: cgit directory traversal Jason A. Donenfeld (May 27)
- Re: CVE Request: cgit directory traversal Kurt Seifried (May 27)
- Re: CVE Request: cgit directory traversal Jan Lieskovsky (May 27)