[UNIX] ViewVC Undefined Charset UTF-7 XSS Vulnerability
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 16 Oct 2006 10:14:30 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ViewVC Undefined Charset UTF-7 XSS Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.viewvc.org> ViewVC is "a browser interface for CVS and
Subversion version control repositories. It generates templatized HTML to
present navigable directory, revision, and change log listings. It can
display specific versions of files as well as diffs between those
versions. Basically, ViewVC provides the bulk of the report-like
functionality you expect out of your version control tool, but much more
prettily than the average textual command-line program output".
It was discovered that ViewVC is neither sending a charset HTTP header nor
specifying a charset in the HTML body. Therefore it is possible to trick
several browsers into decoding ViewVC pages UTF-7. This allows attackers
to inject arbitrary UTF-7 encoded Java-Script code into the output.
Please note that these UTF-7 attacks against sites with missing charset
definitions are also exploitable in the Mozilla browser family (seamonkey,
firefox, ...). Advisories from different parties that describe similar
vulnerabilities usually claim that only Internet Explorer with activated
auto-detection is vulnerable. In reality the mozilla browser family is
even more affected, because you can attack them no matter if charset
auto-detection is turned on or off.
DETAILS
Vulnerable Systems:
* ViewVC version 1.0.2 and prior
Immune Systems:
* ViewVC version 1.0.3 or newer
Disclosure Timeline:
07. October 2006 - Notified ViewVC developers
13. October 2006 - ViewVC developers release 1.0.3
15. October 2006 - Public Disclosure
Recommendation:
It is strongly recommended to upgrade to the newest version of ViewVC
1.0.3 which you can download at:
<http://viewvc.tigris.org/servlets/ProjectDocumentList?folderID=6004>
http://viewvc.tigris.org/servlets/ProjectDocumentList?folderID=6004
ADDITIONAL INFORMATION
The information has been provided by <mailto:sesser@xxxxxxxxxxxxxxxx>
Stefan Esser.
The original article can be found at:
<http://www.hardened-php.net/advisory_102006.134.html>
http://www.hardened-php.net/advisory_102006.134.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [UNIX] Apache HTTP Server mod_tcl set_var Format String
- Next by Date: [UNIX] Asbru HardCore Web Content Editor Command Injection
- Previous by thread: [UNIX] Apache HTTP Server mod_tcl set_var Format String
- Next by thread: [UNIX] Asbru HardCore Web Content Editor Command Injection
- Index(es):
Relevant Pages
|
