Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
[Full-disclosure] Advisory 10/2006: ViewVC Undefined Charset UTF-7 XSS Vulnerability

From: Stefan Esser (sesserhardened-php.net)
Date: Sun Oct 15 2006 - 09:21:57 CDT

Hash: SHA1

                    Happy Python Hackers Project

                      -= Security Advisory =-

     Advisory: ViewVC Undefined Charset UTF-7 XSS Vulnerability
 Release Date: 2006/10/15
Last Modified: 2006/10/15
       Author: Stefan Esser [sesserhardened-php.net]

  Application: ViewVC <= 1.0.2
     Severity: A missing default charset definition allows XSS attacks
               against browsers interpreting UTF-7 (IE, mozilla family)
         Risk: Medium
Vendor Status: Vendor released 1.0.3 which according to vendor fixes
               this vulnerability
   References: http://www.hardened-php.net/advisory_102006.134.html


   Quote from http://www.viewvc.org
   "ViewVC is a browser interface for CVS and Subversion version
    control repositories. It generates templatized HTML to present
    navigable directory, revision, and change log listings. It can
    display specific versions of files as well as diffs between
    those versions. Basically, ViewVC provides the bulk of the
    report-like functionality you expect out of your version
    control tool, but much more prettily than the average textual
    command-line program output."
   It was discovered that ViewVC is neither sending a charset HTTP
   header nor specifying a charset in the HTML body. Therefore it
   is possible to trick several browsers into decoding ViewVC pages
   UTF-7. This allows attackers to inject arbitrary UTF-7 encoded
   Java-Script code into the output.

   Please note that these UTF-7 attacks against sites with missing
   charset definitions are also exploitable in the mozilla browser
   family (seamonkey, firefox, ...). Advisories from different
   parties that describe similar vulnerabilities usually claim
   that only Internet Explorer with activated auto-detection is
   vulnerable. In reality the mozilla browser family is even more
   affected, because you can attack them no matter if charset
   auto-detection is turned on or off.

Proof of Concept:

   The Hardened-PHP Project is not going to release a proof of
   concept exploit to the general public.

Disclosure Timeline:

   07. October 2006 - Notified ViewVC developers
   13. October 2006 - ViewVC developers release 1.0.3
   15. October 2006 - Public Disclosure


   It is strongly recommended to upgrade to the newest version of
   ViewVC 1.0.3 which you can download at:




   pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

Version: GnuPG v1.4.3 (GNU/Linux)


Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/