SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   ViewCVS Vendors:   Viewcvs.sourceforge.net
ViewCVS Input Validation Holes in 'content-type' and 'content-length' Parameters Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1012750
SecurityTracker URL:  http://securitytracker.com/id/1012750
CVE Reference:   CVE-2004-1062   (Links to External Site)
Date:  Jan 2 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 0.9.2
Description:   Joxean Koret reported two vulnerabilities in ViewCVS. A remote user can conduct cross-site scripting attacks.

The 'viewcvs.py' script does not properly validate user-supplied input in the 'content-type' and the 'content-length' parameters. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the ViewCVS software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[target]/cgi-bin/viewcvs/project/source.file?rev=HEAD&content-type=text/html%0d%0a%0d%0a<html><body%20bgcolor="black"><font%20size=7%20color=red>XSS%20or%20HTTP%20Response%20Splitting</font></html>

http://[target]/cgi-bin/viewcvs/*checkout*/project/source.file?rev=1.0&content-type=text/html%0d%0aContent-Length:1937%0d%0a%0d%0aHi

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the ViewCVS software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fix for the 1.0-dev version, available via CVS.
Vendor URL:  viewcvs.sourceforge.net/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Two Vulnerabilities in ViewCVS


---------------------------------------------------------------------------
              Two Vulnerabilities in ViewCVS
---------------------------------------------------------------------------

Author: Jose Antonio Coret (Joxean Koret)
Date: 2004 
Location: Basque Country

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ViewCVS 0.9.2 - ViewCVS is a browser interface for CVS and Subversion
version control repositories

ViewCVS can browse directories, change logs, and revisions of files. It
can display diffs between versions and show selections of files based on
tags or branches. In addition, ViewCVS has "annotation" / "blame"
support, and Bonsai-like query facility

Web : http://viewcvs.sourceforge.net

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Cross Site Scripting Vulnerability and/or HTTP Response Splitting

A1. When you want to view any source file that is stored in the CVS
repository you can 
select the mime-type to view this (in example, text/html or text/plain).
This is a 
parameter that receives thet viewcvs.py script and is not verified.

I'm not sure if this is an HTTP Response Splitting vulnerability and/or
a Cross Site Scripting,
but is a security problem.

To try the vulnerabilities you can try the following the Proof of
Concepts: 

	Sample 1 :
	~~~~~~~~~~


http://<site-with-viewcvs-092>/cgi-bin/viewcvs/project/source.file?rev=HEAD&content-type=text/html%0d%0a%0d%0a<html><body%20bgcolor="black"><font%20size=7%20color=red>XSS%20or%20HTTP%20Response%20Splitting</font></html>

	Sample 2 :
	~~~~~~~~~~


http://<site-with-viewcvs-092>/cgi-bin/viewcvs/*checkout*/project/source.file?rev=1.0&content-type=text/html%0d%0aContent-Length:1937%0d%0a%0d%0aHi


The fix:
~~~~~~~~

The vendor was contacted but no path for the 0.9.2 version has been
released. Anyway, the 
problems has been fixed in the ViewCVS 1.0-dev version available via
CVS.

Disclaimer:
~~~~~~~~~~~

The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory. 

---------------------------------------------------------------------------

Contact:
~~~~~~~~

	Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC