[UNIX] HTTP Response Splitting and Cross Site Scripting in ViewCVS

From: SecuriTeam (support_at_securiteam.com)
Date: 01/03/05

  • Next message: SecuriTeam: "[UNIX] GNUBoard Multiple Extensions Vulnerability" 
    To: list@securiteam.com
Date: 3 Jan 2005 16:50:10 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      HTTP Response Splitting and Cross Site Scripting in ViewCVS
    ------------------------------------------------------------------------

    SUMMARY

     <http://viewcvs.sourceforge.net/> ViewCVS is "a browser interface for CVS
    and Subversion version control repositories. It generates templatized HTML
    to present navigable directory, revision, and change log listings".

    Due to unfiltered parameter, ViewCVS is vulnerable to HTTP response
    splitting and Cross Site Scripting, allowing an attacker to run arbitrary
    HTML code.

    DETAILS

    Vulnerable Systems:
     * ViewCVS Version 0.9.2

    HTTP Response Splitting and Cross Site Scripting in content-type
    Parameter:
    When you want to view any source file that is stored in the CVS repository
    you can select the mime-type to view this (in example, text/html or
    text/plain). The parameter is receives by viewcvs.py script and is not
    verified.

    Proof of Concept:
    http://example.com/cgi-bin/viewcvs/project/source.file?rev=HEAD&content-type=text/html%0d%0a%0d%0a><body bgcolor="black"><font size=7 color=red>XSS or HTTP Response Splitting</font></html>
    Another example:
    http://example.com/cgi-bin/viewcvs/*checkout*/project/source.file?rev=1.0&content-type=text/html%0d%0aContent-Length: 1937%0d%0a%0d%0aHi

    Vendor Status:
    The vendor was contacted but no patch for the 0.9.2 version has been
    released. Anyway, the problems has been fixed in the ViewCVS 1.0-dev
    version available via CVS.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:joxeankoret@yahoo.es> Joxean
    Koret.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] GNUBoard Multiple Extensions Vulnerability"

    Relevant Pages

    • [UNIX] Multiple Vulnerabilities MetaDot Portal Server
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... SQL Injection: ... query he can cause an error message to execute script into an unsuspecting ... users browser thus causing a Cross Site Scripting attack. ...
      (Securiteam)
    • [UNIX] Multiple Vulnerabilities in XMB Forum (CSS, SQL Injection, Administrative Password Disclosure
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A cross site scripting bug exists in u2u.php as well. ... An SQL injection and a cross site-scripting bug in member.php (only ... Yet more SQL injections and XSS vulnerabilities exists, ...
      (Securiteam)
    • [UNIX] Multiple Vulnerabilities in Moodle (view.php, file.php)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Cross Site Scripting in /mod/forum/view.php ... session ID we can use cross site scripting vulnerability. ... Session File Disclosure vulnerability is patched in version 1.4.3. ...
      (Securiteam)
    • [UNIX] Cyphor Multiple Security Vulnerabilities (SQL Injection and CSS)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... normal users, moderators and administrators. ... SQL Injection in 'Forgot Password Interface': ... The following URL will trigger an cross site scripting attack against ...
      (Securiteam)
    • [UNIX] Multiple Vulnerabilities in NukeBookmarks (Full path disclosure, Cross Site Scripting, SQL I
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Cross Site Scripting and SQL Injection ... Full Path Disclosure Vulnerability: ...
      (Securiteam)