Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 371312 (CVE-2011-2186)

Summary: dev-vcs/git: Persistent XSS by users with commit privileges (CVE-2011-2186)
Product: Gentoo Security Reporter: Tim Sammut (RETIRED) <underling>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: trivial CC: alexanderyt, ricmm, robbat2
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2011/06/03/7
Whiteboard: C4 [upstream]
Package list:
Runtime testing required: ---

Description Tim Sammut (RETIRED) gentoo-dev 2011-06-12 21:05:45 UTC 
From $URL:

From the reporter:
----
I am reporting a persistent xss vector in gitweb, note this requires a
user to have commit access to a repository that gitweb is configured
to display. The vector is the fact that gitweb "serves" up xml files -
which can (just as gitweb does) embed html that could be used to
perform a cross-site scripting attack.

e.g. (lol.xml).
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en-US"
lang="en-US">
<head>
</head>
<script>alert(1);</script>
</html>

and viewed at
http://$HOSTNAME/$PATH_TO_GITWEB/?p=lolok;a=blob_plain;f=lol.xml
----
Comment 1 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2012-08-23 05:32:11 UTC 
security:
Which versions of Git are affected by this? I don't see any mention in the Git logs of this CVE.
Comment 2 Sergey Popov (RETIRED) gentoo-dev 2014-01-10 13:28:20 UTC 
This would not be fixed as upstream says, however, that have talked about changing default value of prevent_xss from 0 to 1(if it is set to 1 - issue is gone), so from 1.6.*(when prevent_xss was introduced, not sure in which minor version) users can workaround this bug.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-02-20 06:21:58 UTC 
per the previous comment this issue is something the user can work around locally.  most importantly, commit access must be granted in order for the XSS to be effective