* Fwd: Sourceware Security Vulnerablity [not found] <CAHv8Y_5wVyWCsjasGx7noqU0rhMtE4-cmVV_Z5LMLe29-w-5=w@mail.gmail.com> @ 2014-09-09 16:55 ` Keith Seitz 2014-09-09 18:17 ` Frank Ch. Eigler 0 siblings, 1 reply; 3+ messages in thread From: Keith Seitz @ 2014-09-09 16:55 UTC (permalink / raw) To: overseers Someone posted this to the insight mailing list... Is there anything we can do? Keith -------- Original Message -------- Subject: Sourceware Security Vulnerablity Date: Tue, 9 Sep 2014 04:16:16 -0700 From: Paul Yibelo <habte.yibelo@gmail.com> To: insight@sourceware.org Hey, My name is Paul. I believe I discovered a very nice XSS in your website sourceware.org. I coudnt find any other place to submit it so, I just mailedy you here. you should have a bug submit page. :) here is the payload https://www.sourceware.org/cgi-bin/cvsweb.cgi/libc/login/programs%0A%0A<script>alert(0);</script>%0A%0A/pt_chown.c?rev=1.12&content-type=text/html&cvsroot=glibc&only_with_tag=MAIN your error page doesnt sanitize input. hoping to hearing from you :D Thanks, Paul ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Fwd: Sourceware Security Vulnerablity 2014-09-09 16:55 ` Fwd: Sourceware Security Vulnerablity Keith Seitz @ 2014-09-09 18:17 ` Frank Ch. Eigler 2014-11-13 14:57 ` cvsweb vs viewvc (was: Sourceware Security Vulnerablity) Gerald Pfeifer 0 siblings, 1 reply; 3+ messages in thread From: Frank Ch. Eigler @ 2014-09-09 18:17 UTC (permalink / raw) To: Keith Seitz; +Cc: overseers Hi - > https://www.sourceware.org/cgi-bin/cvsweb.cgi/libc/login/programs%0A%0A<script>alert(0);</script>%0A%0A/pt_chown.c?rev=1.12&content-type=text/html&cvsroot=glibc&only_with_tag=MAIN This is fixed by a blunt removal of the ancient cvsweb.cgi code, and a blunt httpd-level redirection to /viewvc, for both sourceware.org and gcc.gnu.org. - FChE ^ permalink raw reply [flat|nested] 3+ messages in thread
* cvsweb vs viewvc (was: Sourceware Security Vulnerablity) 2014-09-09 18:17 ` Frank Ch. Eigler @ 2014-11-13 14:57 ` Gerald Pfeifer 0 siblings, 0 replies; 3+ messages in thread From: Gerald Pfeifer @ 2014-11-13 14:57 UTC (permalink / raw) To: overseers, Frank Ch. Eigler On Tuesday 2014-09-09 14:17, Frank Ch. Eigler wrote: > This is fixed by a blunt removal of the ancient cvsweb.cgi code, and > a blunt httpd-level redirection to /viewvc, for both sourceware.org > and gcc.gnu.org. I followed up with some clean-ups on the GCC side. How about http://sourceware.org/cgi-bin/cvsweb.cgi/?cvsroot=sourceware and https://gcc.gnu.org/cgi-bin/cvsweb.cgi/wwwdocs/ however? These do not appear to be available via /viewvc. Gerald ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-11-07 11:08 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <CAHv8Y_5wVyWCsjasGx7noqU0rhMtE4-cmVV_Z5LMLe29-w-5=w@mail.gmail.com> 2014-09-09 16:55 ` Fwd: Sourceware Security Vulnerablity Keith Seitz 2014-09-09 18:17 ` Frank Ch. Eigler 2014-11-13 14:57 ` cvsweb vs viewvc (was: Sourceware Security Vulnerablity) Gerald Pfeifer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).