Date: Sat, 20 Oct 2012 23:19:46 -0600 From: Kurt Seifried <kseifried@...hat.com> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>, nicolas.alvarez@...il.com Subject: CVE Request: viewvc 1.1.5 lib/viewvc.py XSS -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062 From: Nicolás Alvarez <nicolas.alvarez@...il.com> To: Debian Bug Tracking System <submit@...s.debian.org> Subject: viewvc: XSS bug in diff view Date: Sat, 20 Oct 2012 17:54:18 -0300 [Message part 1 (text/plain, inline)] Package: viewvc Version: 1.1.5-1.3 Severity: important Tags: security There is an XSS bug in the diff view, exploitable by people with commit access to the repository. The "function name" lines returned by diff (in the diff lines starting with @@) are not HTML-escaped. Here's an example. Add this file to a SVN repository: blah x <script>alert("XSS!");</script> one context two context three context trigger Commit it. Next, change the line labeled 'trigger', and commit again. The diff produced by the second commit is: @@ -3,4 +3,4 @@ x <script>alert("XSS!");</script> one context two context three context - -trigger +trigger X When telling ViewVC to show the diff of that file for the last commit, it doesn't HTML-escape the <script>, so it gets executed. I'm attaching a patch that should fix this bug. I don't have a CVE number. I haven't reported this upstream. I quickly glanced at the upstream bug list and dev list archives and it didn't seem to be already reported, but I didn't search carefully. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQg4XvAAoJEBYNRVNeJnmT5UoP/jqudbbsiLS5VWhYw6Idvj9U IAu9RP6vMtUvJWERf7WyKfP8JACWSLpBNnJQrFUNLZXgF2yCUiVOKfR+DdyWx/n0 CXADXFUeS2AJF2/ZKOu4C/E7SeI/AiQ7yy+eN94LoUpflYK3lQPrs+nz1UYLL+pE /4m5koWvsuUPSNhSv8J1x9D/mMNAi5Pc3zZgw7IDsoOGjxVFEDGya3G0fRfGQamn mQSY8LCDITxREAIazsVF6VXNTqaDoqIXMTQG3p8DF7XLq8baleFvJuOuiR9eaUgb 3rTOsQR9AncZ8c6cGvAoezBcW137CeLambi7HUWIJyjj7DOHmdCIzUXV2+PVtZnK Dso1mNNHhn/jSSytYsPlI+j7B7Y/wM0qf5TFGfz9QzCyaewslvrmD5k6nSYyeR0m xVhaCKF9uTrKGtmleDN9/ykVSCVG6cXaN0gsViUhbRb7wlF+izYMhk7dgIjmvypF 0M0pmCzbS2Si4Q4fX32v8mg9L7OaJIe0YCaZ2aRZJHhGEqV9QEjnMpouAUI6tl1s lE7jaWEdgx6Mt5leFkbPgc4jryHRrtyIDUYCOnnyTf09z0ajbNVnANowbsVB+y0+ 2GqZh7E1/ltvrU8I8j/9iW2Cz8c3+bqEb4D2BxN8E8BLUSHEaenmCfwbr2PlnJ+k zM28/QZ8NYjGc6bsay+1 =kcnn -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.