request #19179 Potential XSS when accessing a file stored in a SVN repository

Artifact

Infos

Artifact ID#19179

Submitted byThomas Gerbet (tgerbet)

Last Modified On2021-02-24 14:00

Submitted on2021-01-13 11:51

Rank20749

Details

Summary *

Potential XSS when accessing a file stored in a SVN repository

Original Submission

A XSS payload can be injected in a file stored in a SVN repository. When this file is accessed directly with a browser, a XSS could be triggered without the Content Security Policy.

Impact

A malicious user with the ability to commit files in a SVN repository could use this vulnerability to force a victim to execute uncontrolled code. However a successful exploitation requires to bypass the strict CSP policy (introduced for the ongoing work in request #17967) which seems unlikely on any of the browsers supported by Tuleap. It should however be noted that Internet Explorer does not support the Content Security Policy header (at least not in any meaningful way) so the impact is bigger for old Tuleap versions.
CVSSv3.1 score: 4.4 (CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N)

Exploitation

Create a new SVN repository, commit a file named index.html into it with the following content: <html><body><script>alert(1)</script></body></html>

Access this file directly with your browser. There are at least two ways to do it:

access the repo URL with your browser and browse it: https://<tuleap_instance>/svnplugin/<project_name>/<repo_name>/index.html
access the file with your browser in the same way a SVN client does: https://<tuleap_instance>/svnplugin/<project_name>/<repo_name>/!svn/rvr/1/index.html

In both cases, if you check your browser console you will see errors about the content security policy.