oh no, a lame xss bug in a 3rd party cgi script that runs on a solaris web server hosting a website that uses no cookies. surely this is big news!

You have achieved the difficult task of making CVS less usable.

This was posted on full-disclosure August 6th.

http://seclists.org/fulldisclosure/2008/Aug/0074.html

I cant decide if that's classy or cheeky.

But regardless, I dont know if a bug in cvsweb counts as openbsd - does it?

Not when cvsweb is running on Solaris.

why run solaris at all when there is only 2 remote holes in the default install of openbsd?

Probably because when somebody donates tons of space and bandwidth to you, it's rude to argue with them over their choice of OS.

http://openbsd.org/faq/faq8.html#wwwsolaris

Is that a hole? Is that a default install?

A security hole? Indeed. In the default install? No, but anyways, those are the security guys and I feel this was funny:-)

Not on OpenBSD at all. That's Solaris. (http://openbsd.org/faq/faq8.html#wwwsolaris)

OH NOEZ! U G0TZ MY CVSWEB COOKEEZ!