Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 03 Jun 2011 11:15:12 -0500
From: Jamie Strandboge <>
To: akub Narebski <>, Junio C Hamano <>
Cc:, dave b <>
Subject: Security issue in gitweb

A security bug was reported by 'dave b' (in CC) against gitweb in
Ubuntu. You are being emailed as the upstream contact. Please keep
oss-security[1] CC'd for any updates on this issue.

This issue should be considered public, but has not yet been assigned a
CVE. Once a CVE is assigned, please mention it in any changelogs.

Details from the public bug follow:

From the reporter:
I am reporting a persistent xss vector in gitweb, note this requires a
user to have commit access to a repository that gitweb is configured
to display. The vector is the fact that gitweb "serves" up xml files -
which can (just as gitweb does) embed html that could be used to
perform a cross-site scripting attack.

e.g. (lol.xml).
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
<html xmlns="" xml:lang="en-US"

and viewed at

Thanks in advance for your cooperation in coordinating a fix for this

Jamie Strandboge

[1] is a public mailing list for
    people to collaborate on security vulnerabilities and coordinate
    security updates.

Jamie Strandboge             |

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ