cvs injection

Subject:	cvs injection
From:	"Akosonic" <me@xxxxxxxxxxxx>
Date:	Sun, 13 Jul 2008 21:46:39 UTC
Newsgroups:	fa.openbsd.www

Subject:

cvs injection

From:

Date:

Sun, 13 Jul 2008 21:46:39 UTC

Newsgroups:

fa.openbsd.www


Dear OpenBSD project

i noticed that since a while people use to send arround prepared links for
the openbsd CVS website with all sort of strange stuff in it. Since I
havent found a bugreport for it (searching for code injection etc), I
wanted to inform you, hoping im not the 12'345th person doing so. I hope
its a bug and not a feature that i dont understand.

if you create a link that looks like:

http://www.openbsd.org/cgi-bin/cvsweb/src/?sortby=%22%3E%3Ch1%20style=%22position:absolute;top:20px;font-size:100pt%22%3E%3Cblink%3Ehello%20world%3C/blink%3E%3C/h1%3E

you can inject code to the openBSD project cvs website. since this is
going on for a while, i think there should be a fix out hopefully soon.


regards, and thanks for the attention, aljoscha

<Prev in Thread]	Current Thread	[Next in Thread>
cvs injection, Akosonic <=

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re: Missing _ypldap information in -current?, Miod Vallat
Next by Date:	Link exchange with my google PR 5 site, April Duvalle
Previous by Thread:	Missing _ypldap information in -current?, Aaron W. Hsu
Next by Thread:	Link exchange with my google PR 5 site, April Duvalle
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re: Missing _ypldap information in -current?, Miod Vallat

Next by Date:

Link exchange with my google PR 5 site, April Duvalle

Previous by Thread:

Missing _ypldap information in -current?, Aaron W. Hsu

Next by Thread:

Link exchange with my google PR 5 site, April Duvalle

Indexes:

[Date] [Thread] [Top] [All Lists]