Cross-site scripting (XSS) flaw was found in the web interface of Git distributed revision control system. A remote attacker could use this flaw to execute arbitrary HTML or scripting code by providing a certain URL with specially-crafted values of f and fp variables. References: [1] http://www.bugsearch.net/en/11075/gitweb-1733-cross-site-scripting-cve-2010-3906.html?ref=3 [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=607248 Upstream changeset: [3] http://repo.or.cz/w/git.git/commit/3017ed62f47ce14a959e2d315c434d4980cf4243 Public PoC (from [1]): http://localhost/?p=foo/bar/ph33r.git;a=blobdiff;f=[XSS];fp=[XSS] [XSS] => "><body onload="alert('xss')"> <a Credit: Emanuele 'emgent' Gentili
This issue affects the version of the git package, as shipped with Red Hat Enterprise Linux 6. -- This issue affects the versions of the git package, as shipped with Fedora release of 13 and 14. This issue affects the versions of the git package, as present within EPEL-4 and EPEL-5 repositories. Please schedule an update.
Created git tracking bugs for this issue Affects: fedora-all [bug 663612]
Announcement of versions that fix this issue: http://www.spinics.net/lists/git/msg148037.html Fixed in: 1.7.3.4, 1.7.2.5, 1.7.1.4, 1.7.0.9, 1.6.6.3, 1.6.5.9, 1.6.4.5
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:1003 https://rhn.redhat.com/errata/RHSA-2010-1003.html