mailing list archives
CVE Request: viewvc 1.1.5 lib/viewvc.py XSS
From: Kurt Seifried <kseifried () redhat com>
Date: Sat, 20 Oct 2012 23:19:46 -0600
-----BEGIN PGP SIGNED MESSAGE-----
From: Nicolás Alvarez <nicolas.alvarez () gmail com>
To: Debian Bug Tracking System <submit () bugs debian org>
Subject: viewvc: XSS bug in diff view
Date: Sat, 20 Oct 2012 17:54:18 -0300
[Message part 1 (text/plain, inline)]
There is an XSS bug in the diff view, exploitable by people with commit
access to the repository. The "function name" lines returned by diff (in
the diff lines starting with @@) are not HTML-escaped.
Here's an example. Add this file to a SVN repository:
Commit it. Next, change the line labeled 'trigger', and commit again.
The diff produced by the second commit is:
@@ -3,4 +3,4 @@ x <script>alert("XSS!");</script>
When telling ViewVC to show the diff of that file for the last commit,
it doesn't HTML-escape the <script>, so it gets executed.
I'm attaching a patch that should fix this bug.
I don't have a CVE number. I haven't reported this upstream. I quickly
glanced at the upstream bug list and dev list archives and it didn't
seem to be already reported, but I didn't search carefully.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
-----END PGP SIGNATURE-----
- CVE Request: viewvc 1.1.5 lib/viewvc.py XSS Kurt Seifried (Oct 21)