[BUG] gitweb: XSS vulnerability of RSS feed

git.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "glpk xypron" <xypron.glpk@gmx.de>
To: git@vger.kernel.org
Subject: [BUG] gitweb: XSS vulnerability of RSS feed
Date: Mon, 12 Nov 2012 00:28:20 +0100	[thread overview]
Message-ID: <20121111232820.284510@gmx.net> (raw)

Gitweb can be used to generate an RSS feed.

Arbitrary tags can be inserted into the XML document describing
the RSS feed by careful construction of the URL.

Example
http://server/?p=project.git&a=rss&f=</title><script>alert(document.cookie)</script><title>

The generated XML contains
<script>alert(document.cookie)</script>

Depending on the system used to render the XML this might lead
to the execution of javascript in the security context of the
gitweb server pages.

Please, escape all URL parameters.

Version tested:
gitweb v.1.8.0.dirty with git 1.7.2.5

Best regards

Heinrich Schuchardt

next             reply	other threads:[~2012-11-11 23:28 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-11-11 23:28 glpk xypron [this message]
2012-11-12 18:55 ` [BUG] gitweb: XSS vulnerability of RSS feed Drew Northup
2012-11-12 20:24   ` Jeff King
2012-11-12 20:27     ` Jeff King
2012-11-12 20:36       ` Junio C Hamano
2012-11-12 21:13         ` Jakub Narębski
2012-11-12 21:34           ` Jeff King
2012-11-13 14:44     ` Drew Northup
2012-11-13 15:19       ` Jakub Narębski
2012-11-13 15:45       ` Kevin
2012-11-13 15:57         ` Jakub Narębski
2012-11-13 17:04       ` Jeff King
2012-11-13 17:22         ` Jakub Narębski
2012-11-12 23:09   ` Andreas Schwab
2012-11-13  8:31   ` Pyeron, Jason J CTR (US)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20121111232820.284510@gmx.net \
    --to=xypron.glpk@gmx.de \
    --cc=git@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).