•  
      request #19179 Potential XSS when accessing a file stored in a SVN repository
    Infos
    #19179
    Thomas Gerbet (tgerbet)
    2021-02-24 14:00
    2021-01-13 11:51
    20754
    Details
    Potential XSS when accessing a file stored in a SVN repository

    A XSS payload can be injected in a file stored in a SVN repository. When this file is accessed directly with a browser, a XSS could be triggered without the Content Security Policy.

    Impact

    A malicious user with the ability to commit files in a SVN repository could use this vulnerability to force a victim to execute uncontrolled code. However a successful exploitation requires to bypass the strict CSP policy (introduced for the ongoing work in request #17967) which seems unlikely on any of the browsers supported by Tuleap. It should however be noted that Internet Explorer does not support the Content Security Policy header (at least not in any meaningful way) so the impact is bigger for old Tuleap versions.
    CVSSv3.1 score: 4.4 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)

    Exploitation

    Create a new SVN repository, commit a file named index.html into it with the following content: <html><body><script>alert(1)</script></body></html>

    Access this file directly with your browser. There are at least two ways to do it:

    • access the repo URL with your browser and browse it: https://<tuleap_instance>/svnplugin/<project_name>/<repo_name>/index.html
    • access the file with your browser in the same way a SVN client does: https://<tuleap_instance>/svnplugin/<project_name>/<repo_name>/!svn/rvr/1/index.html

    In both cases, if you check your browser console you will see errors about the content security policy.

    References

    CWE 79
    OWASP Cross-site Scripting

    SCM/Subversion
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Thomas Gerbet (tgerbet)
    Closed
    2021-01-14
    Attachments
    Empty
    References

    Follow-ups