Hacker Timesnew | past | comments | ask | show | jobs | submitlogin
Cross-side scripting vulnerability in gitweb (no-ack.org)
2 points by wallunit on Dec 17, 2010 | hide | past | favorite | 4 comments


I'm not super familiar with gitweb so I'll be the one to ask: what can you do with gitweb as a logged-in user? What's the impact of an XSS on gitweb?


There is basically no login area. Gitweb is the official web interface for the source tracker git. If you have permissions to push to the repository the gitweb page is showing, you could possibly add a file to the repository, when shown on the page will inject malicious javascript code for example.

If you run gitweb for repositories where only yourself (an people you trust) has those permissions, this vulnerability is rather harmless. But if you are running gitweb for a large FOSS project with a lot of committers, you should be aware of that issue.


This seems to be a re-submission of a page by the same person:

https://hackertimes.com/item?id=2007597

Was this deliberate?


Site. Cross Site Scripting.

Would Cross Side Scripting come from the other side, beyond the grave? That would be quite a bit more serious.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: