On Fri, Mar 15, 2019 at 05:22:47PM -0700, Andrew Hewus Fresh wrote: > > I have produced the patch with 'diff -u cvsweb.orig cvsweb' directly in the > > /var/www/cgi-bin directory. Credit goes to Ezio Paglia for finding this XSS > > vuln. Also the cvsweb at openbsd.org is affected and can be checked with: > > I looked this over and updated the patch to be against the port. It > seems to be good and I only found a couple other places that needed to > be escaped, the "stickyvars" section and the tr1/tr2 inputs in doLog, > although r1, r2, tr1 and tr2 are part of "unsafevars" so their content > is pretty limited already. > > It was a pretty quick look so I don't doubt that there are more, and I > didn't actually get a chance to test it out, so hopefully someone else > can. > > > https://cvsweb.openbsd.org/src/sbin/clri/clri.c?f=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E > > > > in chrome the XSS check activates immediately, I don't know what firefox > > does. > > With NoScript it throws up a big error saying there was an attempted > XSS, without NoScript it throws up an alert box saying "XSS".
> Index: Makefile ... Hi, Thanks for the help! I have applied your patch and it went cleanly (commands were cd /usr/ports/devel/cvsweb; patch -p0 < cvsweb.patch), I then rebuilt the port with "make reinstall" no problem there either. The CGI is the newly built CGI as discovered with ls. A quick test shows that it applied the XSS escapes. Best Regards, -peter