there is no x-content-type-options:nosniff header when viewing raw file.
caused mime type sniffing in some browsers , finally it turns into a stored-xss vulnerability.
although there is http-only flag in cookie , attacker could still get CSRF token , and edit the pre-receive script to carry out remote code execution attack.
I could perform this attack in IE11/10 and other browsers using IE core.
log/gogs.log):Description
there is no x-content-type-options:nosniff header when viewing raw file.
caused mime type sniffing in some browsers , finally it turns into a stored-xss vulnerability.
although there is http-only flag in cookie , attacker could still get CSRF token , and edit the pre-receive script to carry out remote code execution attack.
I could perform this attack in IE11/10 and other browsers using IE core.
POC
save it to .eml file , and open it in IE11
Patch
add x-content-type-options:nosniff header to prevent browser from mime type sniffing , just as github / gitlab would do.
Discoverer
Wenxu Wu of Tencent's Xuanwu Lab
The text was updated successfully, but these errors were encountered: