Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <508385F2.6090304@redhat.com>
Date: Sat, 20 Oct 2012 23:19:46 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>,
        nicolas.alvarez@...il.com
Subject: CVE Request: viewvc 1.1.5 lib/viewvc.py XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062

From: Nicolás Alvarez <nicolas.alvarez@...il.com>
To: Debian Bug Tracking System <submit@...s.debian.org>
Subject: viewvc: XSS bug in diff view
Date: Sat, 20 Oct 2012 17:54:18 -0300
[Message part 1 (text/plain, inline)]
Package: viewvc
Version: 1.1.5-1.3
Severity: important
Tags: security

There is an XSS bug in the diff view, exploitable by people with commit
access to the repository. The "function name" lines returned by diff (in
the diff lines starting with @@) are not HTML-escaped.

Here's an example. Add this file to a SVN repository:

blah
x <script>alert("XSS!");</script>
one context
two context
three context
trigger

Commit it. Next, change the line labeled 'trigger', and commit again.
The diff produced by the second commit is:

@@ -3,4 +3,4 @@ x <script>alert("XSS!");</script>
 one context
 two context
 three context
- -trigger
+trigger X

When telling ViewVC to show the diff of that file for the last commit,
it doesn't HTML-escape the <script>, so it gets executed.

I'm attaching a patch that should fix this bug.

I don't have a CVE number. I haven't reported this upstream. I quickly
glanced at the upstream bug list and dev list archives and it didn't
seem to be already reported, but I didn't search carefully.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQg4XvAAoJEBYNRVNeJnmT5UoP/jqudbbsiLS5VWhYw6Idvj9U
IAu9RP6vMtUvJWERf7WyKfP8JACWSLpBNnJQrFUNLZXgF2yCUiVOKfR+DdyWx/n0
CXADXFUeS2AJF2/ZKOu4C/E7SeI/AiQ7yy+eN94LoUpflYK3lQPrs+nz1UYLL+pE
/4m5koWvsuUPSNhSv8J1x9D/mMNAi5Pc3zZgw7IDsoOGjxVFEDGya3G0fRfGQamn
mQSY8LCDITxREAIazsVF6VXNTqaDoqIXMTQG3p8DF7XLq8baleFvJuOuiR9eaUgb
3rTOsQR9AncZ8c6cGvAoezBcW137CeLambi7HUWIJyjj7DOHmdCIzUXV2+PVtZnK
Dso1mNNHhn/jSSytYsPlI+j7B7Y/wM0qf5TFGfz9QzCyaewslvrmD5k6nSYyeR0m
xVhaCKF9uTrKGtmleDN9/ykVSCVG6cXaN0gsViUhbRb7wlF+izYMhk7dgIjmvypF
0M0pmCzbS2Si4Q4fX32v8mg9L7OaJIe0YCaZ2aRZJHhGEqV9QEjnMpouAUI6tl1s
lE7jaWEdgx6Mt5leFkbPgc4jryHRrtyIDUYCOnnyTf09z0ajbNVnANowbsVB+y0+
2GqZh7E1/ltvrU8I8j/9iW2Cz8c3+bqEb4D2BxN8E8BLUSHEaenmCfwbr2PlnJ+k
zM28/QZ8NYjGc6bsay+1
=kcnn
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.