Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Jan 2016 15:21:36 +0100
From: "Jason A. Donenfeld" <>
To: "" <>, oss-security <>
Cc: Daniel Chromek <>, 
	Krzysztof Katowicz-Kowalewski <>, Erik Cabetas <>, 
	Konstantin Ryabitsev <>
Subject: CVE Request: CGit - Multiple vulnerabilities

Hi folks,

Krzysztof Katowicz-Kowalewski from ESET, Erik Cabetas from Include
Security, and myself (Jason Donenfeld) from Edge Security, have found
a few vulnerabilities in CGit:

1. Reflected Cross Site Scripting & Header Injection in Mimetype Query
String [Katowicz-Kowalewski]

The ui-blob handler accepted a mimetype as a query string and then
echoed this string verbatim back. A malicious user could provide a
string like:<script>xss</script>

This has been fixed by removing support for the mimetype query string parameter:
And then restricting to only generic mimetypes:
And finally, just in case, setting the IE anti-sniffing header as well
as a restrictive CSP header:

2. Stored Cross Site Scripting & Header Injection in Filename
Parameter [Donenfeld]

A user who has write access to the git repository could create
filenames containing new lines that would result in that filename,
including the newlines, being included in a header, resulting in
header injection and eventually XSS.

This has been fixed by properly escaping filenames in headers:
Additionally, while the redirect for the /about -> /about/ page does
*not* appear to be vulnerable due to mitigating conditions, the
following commit was made to similarly harden potential injections

3. Stored Cross Site Scripting in Git Repo Files [Katowicz-Kowalewski]

A user who has write access to the git repository can add HTML pages
and then serve them with an HTML mimetype. A user could therefore
upload pages with malicious javascript executing in the same origin as
the cgit web site. While this is ordinarily not a problem for
single-use users - and indeed some users rather like being able to
serve html from cgit - sites that allow potentially malicious third
party users may not find this behavior desirable.

This has been fixed by adding a configuration option,
"enable-html-serving", which is by default off:
This flag sets anti-sniffing, CSP, and restricts mimetypes to
non-"application/" (except for application/pdf and
application/octet-stream) and non-"text/" (except for text/plain). If
you have a better idea of what sort of white/black list to use for
this, I am open to suggestions.

4. Integer Overflow resulting in Buffer Overflow [Cabetas]

ctx.env.content_length is an unsigned int, coming from the
CONTENT_LENGTH environment variable, which is parsed by strtoul. The
HTTP/1.1 spec says that "any Content-Length greater than or equal to
zero is a valid value." By storing this unsigned int into an int, we
potentially overflow it, resulting in the following bounding check
failing, leading to a buffer overflow.

This has been fixed by this commit:

A new version containing these security fixes will be published shortly.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.