Date: Sat, 5 Mar 2016 18:41:03 +0100 From: Peter Bex <peter@...e-magic.net> To: Open Source Security <oss-security@...ts.openwall.com> Subject: Cgit XSS "vulnerability" has no CVE? Hi there, I just noticed that cgit versions before v0.12 contain a bug in the "txt2html" filter script: https://git.zx2c4.com/cgit/commit/filters/html-converters/txt2html?id=13c2d3df0440ce04273de3149631a9bd97490c6e It seems this is the mailing list thread in which the fix was posted (unfortunately, the attachment was dropped): https://lists.zx2c4.com/pipermail/cgit/2015-August/002561.html The release notes for v0.12 mention the fix, but there seems to be no CVE for it: https://lists.zx2c4.com/pipermail/cgit/2016-January/002817.html This allows for an XSS attack by anyone with write access: If you can push to a git repository for which the "txt2html" converter is activate, you can create a README or README.txt and insert arbitrary HTML. Please note that the recommended "about-formatting.sh" filter will also allow unfiltered HTML files, Markdown or ReST documents, so that's arguably by design. But it's definitely a surprise for people like myself who would expect all files to be filtered for safe HTML like GitHub or Bitbucket do. And of course, in cases where an administrator tries to add *restricted* README support by allowing only plaintext files through the txt2html filter, this would definitely be undesired. Finally, the about-formatting.sh may be shipped by default, but the default value of the "about-filter" is empty, and it seems that the installation script does *not* supply a default configuration file which could override that, so it has to be explicitly enabled by the user (or the distro's package). Anyway, all in all, I think this is probably worth a CVE because it's so non-obvious. Cheers, Peter Bex Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ