Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 5 Mar 2016 18:41:03 +0100
From: Peter Bex <peter@...e-magic.net>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Cgit XSS "vulnerability" has no CVE?

Hi there,

I just noticed that cgit versions before v0.12 contain a bug in
the "txt2html" filter script:
https://git.zx2c4.com/cgit/commit/filters/html-converters/txt2html?id=13c2d3df0440ce04273de3149631a9bd97490c6e

It seems this is the mailing list thread in which the fix was
posted (unfortunately, the attachment was dropped):
https://lists.zx2c4.com/pipermail/cgit/2015-August/002561.html

The release notes for v0.12 mention the fix, but there seems to be no
CVE for it: https://lists.zx2c4.com/pipermail/cgit/2016-January/002817.html

This allows for an XSS attack by anyone with write access: If you can
push to a git repository for which the "txt2html" converter is activate,
you can create a README or README.txt and insert arbitrary HTML.

Please note that the recommended "about-formatting.sh" filter will also
allow unfiltered HTML files, Markdown or ReST documents, so that's
arguably by design.  But it's definitely a surprise for people like
myself who would expect all files to be filtered for safe HTML like
GitHub or Bitbucket do.  And of course, in cases where an administrator
tries to add *restricted* README support by allowing only plaintext
files through the txt2html filter, this would definitely be undesired.

Finally, the about-formatting.sh may be shipped by default, but the
default value of the "about-filter" is empty, and it seems that the
installation script does *not* supply a default configuration file
which could override that, so it has to be explicitly enabled by
the user (or the distro's package).

Anyway, all in all, I think this is probably worth a CVE because it's
so non-obvious.

Cheers,
Peter Bex

Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ