Date: Fri, 6 May 2016 00:18:24 +0530 From: Nitin Venkatesh <venkatesh.nitin@...il.com> To: oss-security@...ts.openwall.com Subject: CVE-2016-1236 - XSS Vulnerability in websvn 2.3.3-1.2+deb8u1 # Summary: Vulnerability Type: Cross-site Scripting (XSS) Package: websvn Version: 2.3.3-1.2+deb8u1 CVE: CVE-2016-1236 # Description: Having a directory or file in a repository with its filename containing a XSS payload will cause it to be executed in various parts of the application. # Steps to reproduce the issue: 1. Clone a SVN repo that websvn has access to 2. Create a directory/file with its filename containing the XSS payload, for example, "><img src=x onerror=alert(1)> 3. Add and commit the changes (new directory/file). 4. The payload is executed, when browsing the repository using websvn in the browser. # Suggested Patches: Please use at your own discretion, the following patches might not solve the issue entirely. The escape() function used in the suggested patch was written by the original developer and can be found in the include/command.php file. revision.php - Modified L148: + 'path' => escape($change->path) - 'path' => $change->path, log.php - Added L326-328: + $listing[$index]['revadded'] = escape($listing[$index]['revadded']); + $listing[$index]['revdeleted'] = escape($listing[$index]['revdeleted']); + $listing[$index]['revmodified'] = escape($listing[$index]['revmodified']); listing.php - Modified L126: + $listing[$index]['filename'] = escape($file); - $listing[$index]['filename'] = $file; L140: + $listing[$index]['compare_box'] = '<input type="checkbox" name="compare" value="'.escape($path.$file).'@...passrev.'" onclick="checkCB(this)" />'; - $listing[$index]['compare_box'] = '<input type="checkbox" name="compare" value="'.$path.$file.'@...passrev.'" onclick="checkCB(this)" />'; comp.php - Modified L384: + $listing[$index]['newpath'] = escape($absnode); - $listing[$index]['newpath'] = $absnode; # Events Timeline: 2016-04-29 - Discovered vulnerability 2016-04-29 - Reported to Debian Security Team 2016-04-30 - Acknowledgement received from Debian Security Team 2016-05-01 - CVE-2016-1236 assigned to the issue 2016-05-05 - Disclosing issue on oss-sec mailing list as advised # Disclaimer: Please use the information presented above responsibly, at your own discretion. I will in no way be responsible for how this information is used or misused.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.