GitList vulnerable to eval hack

GitList a popular self-hosted git repository viewer is vulnerable to a very serious bug in their core application. It allows for URL command evaluation to be run by any user able to view their repos.

A common installation on a domain looks like this

http://example.com/gitlist

It’s easy to spot a vulnerable installation by just looking at the footer, if you see “Powered by GitList” odds are it’s vulnerable. Non vulnerable are usually have the version number in the footer like “Powered by GitList 0.4.0”

To exploit this simply find a repo and append a string like the following.

http://example.com/gitlist/someRepoName/blame/master/""`ls -lah`

After you will see a listing of all the files in the repo directory. ls -lah can be any system command.

This vulnerability got fixed in later version but it is still much out there in the wild. A simple google search:

"Powered by GitList"

Results in thousands of results of people running this software. If you have this somewhere, you must update it.