Re: CVE Request: viewvc 1.1.5 lib/viewvc.py XSS

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/20/2012 11:19 PM, Kurt Seifried wrote:
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=691062
>
> From: Nicolás Alvarez <nicolas.alvarez () gmail com> To: Debian Bug
> Tracking System <submit () bugs debian org> Subject: viewvc: XSS bug
> in diff view Date: Sat, 20 Oct 2012 17:54:18 -0300 [Message part 1
> (text/plain, inline)] Package: viewvc Version: 1.1.5-1.3 Severity:
> important Tags: security
>
> There is an XSS bug in the diff view, exploitable by people with
> commit access to the repository. The "function name" lines returned
> by diff (in the diff lines starting with @@) are not HTML-escaped.
>
> Here's an example. Add this file to a SVN repository:
>
> blah x <script>alert("XSS!");</script> one context two context 
> three context trigger
>
> Commit it. Next, change the line labeled 'trigger', and commit
> again. The diff produced by the second commit is:
>
> @@ -3,4 +3,4 @@ x <script>alert("XSS!");</script> one context two
> context three context -trigger +trigger X
>
> When telling ViewVC to show the diff of that file for the last
> commit, it doesn't HTML-escape the <script>, so it gets executed.
>
> I'm attaching a patch that should fix this bug.
>
> I don't have a CVE number. I haven't reported this upstream. I
> quickly glanced at the upstream bug list and dev list archives and
> it didn't seem to be already reported, but I didn't search
> carefully.

I checked CVE (nothing for this) and the ChangeLogs/etc. This is
indeed a new issue. Please use CVE-2012-4533 for this issue.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQg4a6AAoJEBYNRVNeJnmTOm0P/3ZtfO5AjJ2XTpOHK6lya/fn
23n/TZsInUHFL9jyKgeXEnRMrYEda5BYwoA1Ypd/umfVjUgM9N+yRo1ye9DADGxw
+6pSFKDLo9MDHpSx0TjRerdFnxbnnf64dX1sPktXZxkJBVKmV5wlQghjNq3G4DdS
ebhRYeIvhwkzCe4sy7zaOJt2/+GIi+GMeVejSwyqdaiOmfMCeGcZDbAhSbSVl8/q
niCWcClOMcQsxJdEJtQZJzUHZaDpbuM6ETJsvmnL76+c0lcrnJZerxIC/Udpp6Ha
okNZRwRM5Cjhza5MI6rtaO9+gKi9/F3WiU0Cgg2vf3tq3pScnm+fyZvY4HaBFB2V
gVvomJLi8IN6rwZjpgPPt4rJObV4xYScdL7KqHrU2iEWmHvEeToOOoRWUtvPspiG
ZdBehTy1K/ZF1w9cusU9oC1FK9xtHBNY5eyvN5mwyxKeDAe2jcwEYZHUBtuev/Hw
REFTKCBrHek1sDiNfD/NF4AEN2QYiJRC+MgwWI5k/O8SHNF4JH+gBw05b7LJjU0X
prj/owExb431fd3dOlqSKnx1EtVTUnDA4Z/H6hnYMvDVviRSsodkOimg2w36OVLZ
//ook5dNxCb7kKJp2+crWLS+I8exzBDwkNtSC1xCJ1XtJTtng+J4EGiO0SodSV18
eDwMJt8qjchOJElv1y4j
=AINE
-----END PGP SIGNATURE-----