* Fwd: Sourceware Security Vulnerablity
[not found] <CAHv8Y_5wVyWCsjasGx7noqU0rhMtE4-cmVV_Z5LMLe29-w-5=w@mail.gmail.com>
@ 2014-09-09 16:55 ` Keith Seitz
2014-09-09 18:17 ` Frank Ch. Eigler
0 siblings, 1 reply; 3+ messages in thread
From: Keith Seitz @ 2014-09-09 16:55 UTC (permalink / raw)
To: overseers
Someone posted this to the insight mailing list... Is there anything we
can do?
Keith
-------- Original Message --------
Subject: Sourceware Security Vulnerablity
Date: Tue, 9 Sep 2014 04:16:16 -0700
From: Paul Yibelo <habte.yibelo@gmail.com>
To: insight@sourceware.org
Hey,
My name is Paul. I believe I discovered a very nice XSS in your
website sourceware.org. I coudnt find any other place to submit it so,
I just mailedy you here. you should have a bug submit page. :)
here is the payload
https://www.sourceware.org/cgi-bin/cvsweb.cgi/libc/login/programs%0A%0A<script>alert(0);</script>%0A%0A/pt_chown.c?rev=1.12&content-type=text/html&cvsroot=glibc&only_with_tag=MAIN
your error page doesnt sanitize input. hoping to hearing from you :D
Thanks,
Paul
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Fwd: Sourceware Security Vulnerablity
2014-09-09 16:55 ` Fwd: Sourceware Security Vulnerablity Keith Seitz
@ 2014-09-09 18:17 ` Frank Ch. Eigler
2014-11-13 14:57 ` cvsweb vs viewvc (was: Sourceware Security Vulnerablity) Gerald Pfeifer
0 siblings, 1 reply; 3+ messages in thread
From: Frank Ch. Eigler @ 2014-09-09 18:17 UTC (permalink / raw)
To: Keith Seitz; +Cc: overseers
Hi -
> https://www.sourceware.org/cgi-bin/cvsweb.cgi/libc/login/programs%0A%0A<script>alert(0);</script>%0A%0A/pt_chown.c?rev=1.12&content-type=text/html&cvsroot=glibc&only_with_tag=MAIN
This is fixed by a blunt removal of the ancient cvsweb.cgi code, and
a blunt httpd-level redirection to /viewvc, for both sourceware.org
and gcc.gnu.org.
- FChE
^ permalink raw reply [flat|nested] 3+ messages in thread
* cvsweb vs viewvc (was: Sourceware Security Vulnerablity)
2014-09-09 18:17 ` Frank Ch. Eigler
@ 2014-11-13 14:57 ` Gerald Pfeifer
0 siblings, 0 replies; 3+ messages in thread
From: Gerald Pfeifer @ 2014-11-13 14:57 UTC (permalink / raw)
To: overseers, Frank Ch. Eigler
On Tuesday 2014-09-09 14:17, Frank Ch. Eigler wrote:
> This is fixed by a blunt removal of the ancient cvsweb.cgi code, and
> a blunt httpd-level redirection to /viewvc, for both sourceware.org
> and gcc.gnu.org.
I followed up with some clean-ups on the GCC side.
How about
http://sourceware.org/cgi-bin/cvsweb.cgi/?cvsroot=sourceware
and
https://gcc.gnu.org/cgi-bin/cvsweb.cgi/wwwdocs/
however?
These do not appear to be available via /viewvc.
Gerald
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-11-07 11:08 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CAHv8Y_5wVyWCsjasGx7noqU0rhMtE4-cmVV_Z5LMLe29-w-5=w@mail.gmail.com>
2014-09-09 16:55 ` Fwd: Sourceware Security Vulnerablity Keith Seitz
2014-09-09 18:17 ` Frank Ch. Eigler
2014-11-13 14:57 ` cvsweb vs viewvc (was: Sourceware Security Vulnerablity) Gerald Pfeifer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).