|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-1062: Cross site scripting attack in viewcvs | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Ludwig Nussel <lnussel> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2004-1062: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
patch to replace special characters by html entities
patchinfo for box products patchinfo for sles |
||
|
Description
Ludwig Nussel
2004-12-09 22:43:16 UTC
I think I can't reproduce it: poeml@aust ~ % w3m -dump 'http://svn.suse.de/viewcvs/<script>alert("BOO"+document.cookie)</script>' An Exception Has Occurred : unknown location HTTP Response Status 404 Not Found ------------------------------------------------------------------------------- Python Traceback Traceback (most recent call last): File "/srv/viewcvs/lib/viewcvs.py", line 3195, in main request.run_viewcvs() File "/srv/viewcvs/lib/viewcvs.py", line 308, in run_viewcvs % self.where, '404 Not Found') ViewCVSException: 404 Not Found: : unknown location Server log: ==> /var/log/apache2/access_log <== 149.44.160.33 - - [09/Dec/2004:15:46:34 +0100] "GET /viewcvs/<script>alert(\"BOO\"+document.cookie)</script> HTTP/1.0" 404 823 "-" "w3m/0.4.1-m17n-20030308" I can indeed reproduce with a javascript capable browser. The URL that gets sent back in the viewcvs 404 page contains the unquoted <script> tag. It's wrapped in <pre> but still executed by e.g. mozilla. Created attachment 26914 [details]
patch to replace special characters by html entities
Security team, what do we do with this bug? Fix it? Wait for the next security update? Please fix it. Olaf, are you planning to move the subversion from BETA to STABLE sometimes? Yes, but unlikely before Monday. Too much other things going on. I think these viewcvs things can wait a few more hours. From a quick look, a few changes were already made in cvs. Okay, I will add the patch to the released packages then. is there an id on cve.mitre.org? Ludwig, you sent the patch to vendor-sec, did you already send it to upstream as well? * This comment was added by mail. No. I've just asked about the status on vendor-sec. Since this one might be releated to the apache.org viewcvs issue there might be an embargo. btw what is the difference between viewcvs and subversion-viewcvs? once there was viewcvs (for CVS), later it was extended to cover subversion as well. It's still called viewcvs though, and can still handle CVS repositories, and our package name is subversion-viewcvs. my idea was, rpm -i foo.src.rpm should not overwrite other files. rpm files should not be called blah.patch, but foo.blah.patch because blah.patch can be found in several packages. it just contains a tar file of the viewcvs cvs head. * This comment was added by mail. Date: Thu, 16 Dec 2004 13:10:28 +0000 (GMT) From: Mark J Cox <mjc@redhat.com> To: Ludwig Nussel <ludwig.nussel@suse.de> Cc: vendor-sec@lst.de Subject: Re: [vendor-sec] subversion-viewcvs XSS issues |Anyone else affected by this? Do we need a CAN#? What is the embargo |on the apache viewcvs thing and does it apply to this one as well? oops, to actually answer your question this time; the viewcvs issue you've found is identical, as is the fix. So use CAN-2004-1062 for this issue Cheers, Mark ASF fix: diff -u -r1.17 debug.py --- lib/debug.py 19 Nov 2004 06:38:39 -0000 1.17 +++ lib/debug.py 7 Dec 2004 07:04:48 -0000 # import sys +import cgi SHOW_TIMES = 0 class ViewCVSException: def __init__(self, msg, status=None): - self.msg = msg + self.msg = cgi.escape(msg) self.status = status def __str__(self): Wasn't there an issue that subversion-viewcvs ws not shipped on some products, because it was marked INTERNAL? * This comment was added by mail. I've just mailed the original reporter (Michael Krax <mikx@mikx.de>). He did not place an embargo, we can release updates when ready. He did not know whether upstream was already notified. Ludwig, is it enough to add subversion-viewcvs to the package string in the patchinfos? Or the full list of all subpackages? I guess nothing depends on it, so just do the subpackage. * This comment was added by mail. Depends on whether there have been updates for subversion-viewcvs already. If subversion-viewcvs was not contained in any previous subversion updates a separate patchinfo can be used. That's why I asked. Since it is cumbersome (and error-prone) to find out whether there already was an update, and what was updated (I can't look inside the old patchinfos) I hoped that you guys have a better idea... * This comment was added by mail. Doesn't look like it was already in any patch. Thanks. To my question in comment #15: I think it was not subversion-viewcvs but subversion-tools which was marked INTERNAL. Never mind. Created attachment 27143 [details]
patchinfo for box products
Created attachment 27144 [details]
patchinfo for sles
Note about the issue and patch sent to upstream author. Olaf will take care of STABLE. I'm reassigning to security-team for further processing. swamp id 81 packages released. CVE-2004-1062: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) |