
Cross-side scripting vulnerability in gitweb - wallunit
http://www.no-ack.org/2010/12/cross-side-scripting-vulnerability-in.html?sms_ss=hackernews&at_xt=4d0ba3dd94ff1509%2C0
======
tptacek
I'm not super familiar with gitweb so I'll be the one to ask: what can you do
with gitweb as a logged-in user? What's the impact of an XSS on gitweb?

~~~
wallunit
There is basically no login area. Gitweb is the official web interface for the
source tracker git. If you have permissions to push to the repository the
gitweb page is showing, you could possibly add a file to the repository, when
shown on the page will inject malicious javascript code for example.

If you run gitweb for repositories where only yourself (an people you trust)
has those permissions, this vulnerability is rather harmless. But if you are
running gitweb for a large FOSS project with a lot of committers, you should
be aware of that issue.

------
DupDetector
This seems to be a re-submission of a page by the same person:

<http://news.ycombinator.com/item?id=2007597>

Was this deliberate?

------
wccrawford
Site. Cross Site Scripting.

Would Cross Side Scripting come from the other side, beyond the grave? That
would be quite a bit more serious.

