•  
      request #8841 Persistent XSS in the detailed view of a file in subversion or CVS browser
    Infos
    #8841
    Thomas Gerbet (tgerbet)
    2017-02-16 10:53
    2016-02-03 18:17
    8953
    Details
    Persistent XSS in the detailed view of a file in subversion or CVS browser

    A persistent XSS could be injected via a filename commited to a SVN repo.

    Impact

    An attacker could use this vulnerability to force a victim to execute uncontrolled code.
    CVSS2 score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
    CVSS3 score: 5.0 (3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N)

    Exploitation

    Add a file in a SVN repo with a name like <img src="#" onerror="alert(1)">, commit your file and go to the detailed view of the file in subversion browser. The XSS will be triggered.

    References

    https://cwe.mitre.org/data/definitions/79.html
    https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

    SCM/Subversion
    All
    Empty
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Empty
    Closed
    2017-02-16
    Attachments
    Empty
    References
    Referenced by request #8841

    Artifact Tracker v5

    rel #9841 9.5

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2017-02-16 10:44
    ViewVC 1.1.26-1 has landed into the stable repo of EPEL for CentOS 6.

    Public disclosure.

    • Status changed from Verified to Closed
    • Connected artifacts
    • Close date set to 2017-02-16
    User avatar
    Thomas Gerbet (tgerbet)2017-01-30 12:04
    Our custom version of ViewVC has been removed from the Tuleap repo.

    I have contacted the package maintainer so that viewvc can be updated in the EPEL repo.
    As far as I'm aware, DWF project has not yet assigned a CVE ID to this issue.

    • Summary
      -Persistent XSS in the detailed view of a file in subversion browser 
      +Persistent XSS in the detailed view of a file in subversion or CVS browser 
    User avatar
    Thomas Gerbet (tgerbet)2017-01-25 09:07
    Issue has been fixed upstream (https://github.com/viewvc/viewvc/commit/9dcfc7daa4c940992920d3b2fbd317da20e44aad) and a new version has been released (ViewVC 1.1.26).

    A CVE ID has been requested for this vulnerability, once assigned I will ask for the update of the package in EPEL.

    In the meantime, we should probably remove our custom version of ViewVC from our repo since it is also vulnerable and encourage users to use to switch to the package maintained by EPEL.
    User avatar
    Thomas Gerbet (tgerbet)2017-01-24 14:46
    Issue investigated and reproduced with latest stable version of ViewVC. Can not be easily fixed without patching directly ViewVC.


    I have contacted one of the current maintainer of ViewVC, in case of no response I will report the issue to RedHat and Debian security teams since both projects maintain a viewvc package.