mailing list archives
Re: Re: CVE Request -- cGit -- XSS flaw in rename hint
From: Lukas Fleischer <cgit () cryptocrack de>
Date: Sun, 24 Jul 2011 16:50:33 +0200
On Sun, Jul 24, 2011 at 03:56:12PM +0200, Jan Lieskovsky wrote:
thank you for this correction.
On 07/22/2011 10:35 PM, Lukas Fleischer wrote:
On Fri, Jul 22, 2011 at 06:48:38PM +0200, Jan Lieskovsky wrote:
Hello Josh, Steve, vendors,
an cross-site scripting (XSS) flaw was found in the way cgit, a fast
web interface for Git, displayed the file name in the rename hint. A
remote attacker could provide a specially-crafted web page, which once
visited by an authenticated Cgit user, with push access to the
repository, would lead to arbitrary web script or HTML code execution.
I think you are a tad off, here. The vulnerability I discovered actually
is only exploitable *by* a user with push access as it requires to push
a commit that renames any file to a file with a malicious file name.
Have updated issue description in:
Hoping of it to sound better now.
Better now. This is how I'd phrase it:
A cross-site scripting (XSS) vulnerability was found in cgit, a fast web
interface for Git, allowing a remote attacker with push access to a
repository to inject arbitrary HTML code. The new file name in rename
hints is not escaped and can be exploited by renaming some file to a
file with specially-crafted file name, thus leading to a permanent XSS.
By the way, this is already fixed in current stable  (just because
nobody mentioned it yet).