From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 22048 invoked by alias); 9 Sep 2014 16:55:45 -0000 Mailing-List: contact overseers-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: , Sender: overseers-owner@sourceware.org Received: (qmail 22039 invoked by uid 89); 9 Sep 2014 16:55:44 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-3.2 required=5.0 tests=AWL,BAYES_00,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2 X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Tue, 09 Sep 2014 16:55:43 +0000 Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s89Gtff1026805 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL) for ; Tue, 9 Sep 2014 12:55:41 -0400 Received: from valrhona.uglyboxes.com (ovpn01.gateway.prod.ext.phx2.redhat.com [10.5.9.1]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s89GterE018132 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Tue, 9 Sep 2014 12:55:41 -0400 Message-ID: <540F310C.8030905@redhat.com> Date: Tue, 09 Sep 2014 16:55:00 -0000 From: Keith Seitz User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.7.0 MIME-Version: 1.0 To: overseers@sourceware.org Subject: Fwd: Sourceware Security Vulnerablity References: In-Reply-To: X-Forwarded-Message-Id: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-SW-Source: 2014-q3/txt/msg00147.txt.bz2 Someone posted this to the insight mailing list... Is there anything we can do? Keith -------- Original Message -------- Subject: Sourceware Security Vulnerablity Date: Tue, 9 Sep 2014 04:16:16 -0700 From: Paul Yibelo To: insight@sourceware.org Hey, My name is Paul. I believe I discovered a very nice XSS in your website sourceware.org. I coudnt find any other place to submit it so, I just mailedy you here. you should have a bug submit page. :) here is the payload https://www.sourceware.org/cgi-bin/cvsweb.cgi/libc/login/programs%0A%0A%0A%0A/pt_chown.c?rev=1.12&content-type=text/html&cvsroot=glibc&only_with_tag=MAIN your error page doesnt sanitize input. hoping to hearing from you :D Thanks, Paul From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 23977 invoked by alias); 9 Sep 2014 18:17:29 -0000 Mailing-List: contact overseers-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: , Sender: overseers-owner@sourceware.org Received: (qmail 23968 invoked by uid 89); 9 Sep 2014 18:17:28 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-3.7 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_LOW,RP_MATCHES_RCVD,SPF_HELO_PASS,SPF_PASS autolearn=ham version=3.3.2 X-HELO: elastic.org Received: from elastic.org (HELO elastic.org) (69.20.226.105) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Tue, 09 Sep 2014 18:17:27 +0000 Received: from super.elastic.org (localhost [127.0.0.1]) by elastic.org (8.14.7/8.14.7) with ESMTP id s89IHCLC015611 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 9 Sep 2014 14:17:13 -0400 Received: (from fche@localhost) by super.elastic.org (8.14.7/8.14.7/Submit) id s89IHCbh015610; Tue, 9 Sep 2014 14:17:12 -0400 Date: Tue, 09 Sep 2014 18:17:00 -0000 From: "Frank Ch. Eigler" To: Keith Seitz Cc: overseers@sourceware.org Subject: Re: Fwd: Sourceware Security Vulnerablity Message-ID: <20140909181712.GB13532@elastic.org> References: <540F310C.8030905@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <540F310C.8030905@redhat.com> User-Agent: Mutt/1.5.23 (2014-03-12) X-SW-Source: 2014-q3/txt/msg00149.txt.bz2 Hi - > https://www.sourceware.org/cgi-bin/cvsweb.cgi/libc/login/programs%0A%0A%0A%0A/pt_chown.c?rev=1.12&content-type=text/html&cvsroot=glibc&only_with_tag=MAIN This is fixed by a blunt removal of the ancient cvsweb.cgi code, and a blunt httpd-level redirection to /viewvc, for both sourceware.org and gcc.gnu.org. - FChE From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 18042 invoked by alias); 7 Nov 2014 11:08:49 -0000 Mailing-List: contact overseers-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: , Sender: overseers-owner@sourceware.org Received: (qmail 18028 invoked by uid 89); 7 Nov 2014 11:08:47 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.1 required=5.0 tests=AWL,BAYES_00,SPF_PASS autolearn=ham version=3.3.2 X-HELO: ainaz.pair.com Received: from ainaz.pair.com (HELO ainaz.pair.com) (209.68.2.66) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with (AES256-GCM-SHA384 encrypted) ESMTPS; Fri, 07 Nov 2014 11:08:46 +0000 Received: from [192.168.0.132] (vie-188-118-252-018.dsl.sil.at [188.118.252.18]) by ainaz.pair.com (Postfix) with ESMTPSA id DB2523F44E; Fri, 7 Nov 2014 06:08:43 -0500 (EST) Date: Thu, 13 Nov 2014 14:57:00 -0000 From: Gerald Pfeifer To: overseers@sourceware.org, "Frank Ch. Eigler" Subject: cvsweb vs viewvc (was: Sourceware Security Vulnerablity) In-Reply-To: <20140909181712.GB13532@elastic.org> Message-ID: References: <540F310C.8030905@redhat.com> <20140909181712.GB13532@elastic.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII X-SW-Source: 2014-q4/txt/msg00073.txt.bz2 On Tuesday 2014-09-09 14:17, Frank Ch. Eigler wrote: > This is fixed by a blunt removal of the ancient cvsweb.cgi code, and > a blunt httpd-level redirection to /viewvc, for both sourceware.org > and gcc.gnu.org. I followed up with some clean-ups on the GCC side. How about http://sourceware.org/cgi-bin/cvsweb.cgi/?cvsroot=sourceware and https://gcc.gnu.org/cgi-bin/cvsweb.cgi/wwwdocs/ however? These do not appear to be available via /viewvc. Gerald