Home page logo

oss-sec logo oss-sec mailing list archives

Re: Re: CVE Request -- cGit -- XSS flaw in rename hint
From: Lukas Fleischer <cgit () cryptocrack de>
Date: Sun, 24 Jul 2011 16:50:33 +0200

On Sun, Jul 24, 2011 at 03:56:12PM +0200, Jan Lieskovsky wrote:

Hi Lukas,

  thank you for this correction.

On 07/22/2011 10:35 PM, Lukas Fleischer wrote:
On Fri, Jul 22, 2011 at 06:48:38PM +0200, Jan Lieskovsky wrote:
Hello Josh, Steve, vendors,

  an cross-site scripting (XSS) flaw was found in the way cgit, a fast
web interface for Git, displayed the file name in the rename hint. A
remote attacker could provide a specially-crafted web page, which once
visited by an authenticated Cgit user, with push access to the
repository, would lead to arbitrary web script or HTML code execution.

I think you are a tad off, here. The vulnerability I discovered actually
is only exploitable *by* a user with push access as it requires to push
a commit that renames any file to a file with a malicious file name.

Have updated issue description in:

Hoping of it to sound better now.

Better now. This is how I'd phrase it:

A cross-site scripting (XSS) vulnerability was found in cgit, a fast web
interface for Git, allowing a remote attacker with push access to a
repository to inject arbitrary HTML code. The new file name in rename
hints is not escaped and can be exploited by renaming some file to a
file with specially-crafted file name, thus leading to a permanent XSS.

By the way, this is already fixed in current stable [1] (just because
nobody mentioned it yet).

[1] http://hjemli.net/git/cgit/commit/?id=bebe89d7

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]