From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 19205 invoked by alias); 9 Sep 2014 11:16:20 -0000 Mailing-List: contact insight-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: insight-owner@sourceware.org Received: (qmail 19192 invoked by uid 89); 9 Sep 2014 11:16:19 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-2.6 required=5.0 tests=BAYES_00,FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,SPF_PASS autolearn=ham version=3.3.2 X-HELO: mail-ie0-f180.google.com Received: from mail-ie0-f180.google.com (HELO mail-ie0-f180.google.com) (209.85.223.180) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES128-SHA encrypted) ESMTPS; Tue, 09 Sep 2014 11:16:18 +0000 Received: by mail-ie0-f180.google.com with SMTP id rd18so2452715iec.25 for ; Tue, 09 Sep 2014 04:16:16 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.50.7.100 with SMTP id i4mr30565731iga.32.1410261376142; Tue, 09 Sep 2014 04:16:16 -0700 (PDT) Received: by 10.50.154.1 with HTTP; Tue, 9 Sep 2014 04:16:16 -0700 (PDT) Date: Tue, 09 Sep 2014 11:16:00 -0000 Message-ID: Subject: Sourceware Security Vulnerablity From: Paul Yibelo To: insight@sourceware.org Content-Type: text/plain; charset=UTF-8 X-SW-Source: 2014-q3/txt/msg00011.txt.bz2 Hey, My name is Paul. I believe I discovered a very nice XSS in your website sourceware.org. I coudnt find any other place to submit it so, I just mailedy you here. you should have a bug submit page. :) here is the payload https://www.sourceware.org/cgi-bin/cvsweb.cgi/libc/login/programs%0A%0A%0A%0A/pt_chown.c?rev=1.12&content-type=text/html&cvsroot=glibc&only_with_tag=MAIN your error page doesnt sanitize input. hoping to hearing from you :D Thanks, Paul