Bug 64086 (CVE-2004-1062) - VUL-0: CVE-2004-1062: Cross site scripting attack in viewcvs
Summary: VUL-0: CVE-2004-1062: Cross site scripting attack in viewcvs
Status: RESOLVED FIXED
Alias: CVE-2004-1062
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2004-1062: CVSS v2 Base Score: 4....
Keywords:
Depends on:
Blocks:
 
Reported: 2004-12-09 22:43 UTC by Ludwig Nussel
Modified: 2021-10-13 11:56 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
patch to replace special characters by html entities (341 bytes, patch)
2004-12-10 00:30 UTC, Peter Poeml 		Details | Diff
patchinfo for box products (646 bytes, text/plain)
2004-12-17 00:28 UTC, Peter Poeml 		Details
patchinfo for sles (692 bytes, text/plain)
2004-12-17 00:28 UTC, Peter Poeml 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2004-12-09 22:43:16 UTC 
Due to a report about a XSS bug in viewcvs on apache.org I tried it
on svn.suse.de. Open the following URL:

http://svn.suse.de/viewcvs/<script>alert("BOO"+document.cookie)</script>

It will insert the script code into the error message it delivers.
Do you use a plain subversion-viewcvs on that server? If so
subversion-viewcvs is vulnerable to a XSS attack.
Comment 1 Peter Poeml 2004-12-09 22:50:25 UTC 
I think I can't reproduce it:

poeml@aust ~ % w3m -dump 'http://svn.suse.de/viewcvs/<script>alert("BOO"+document.cookie)</script>'
An Exception Has Occurred

: unknown location

HTTP Response Status

404 Not Found

-------------------------------------------------------------------------------

Python Traceback

Traceback (most recent call last):
  File "/srv/viewcvs/lib/viewcvs.py", line 3195, in main
    request.run_viewcvs()
  File "/srv/viewcvs/lib/viewcvs.py", line 308, in run_viewcvs
    % self.where, '404 Not Found')
ViewCVSException: 404 Not Found: : unknown location


Server log:

==> /var/log/apache2/access_log <==
149.44.160.33 - - [09/Dec/2004:15:46:34 +0100] "GET /viewcvs/<script>alert(\"BOO\"+document.cookie)</script> HTTP/1.0" 404 823 "-" "w3m/0.4.1-m17n-20030308"
Comment 2 Peter Poeml 2004-12-10 00:29:18 UTC 
I can indeed reproduce with a javascript capable browser. The URL that
gets sent back in the viewcvs 404 page contains the unquoted <script>
tag. It's wrapped in <pre> but still executed by e.g. mozilla.
Comment 3 Peter Poeml 2004-12-10 00:30:28 UTC 
Created attachment 26914 [details]
patch to replace special characters by html entities
Comment 4 Peter Poeml 2004-12-14 23:51:31 UTC 
Security team, what do we do with this bug? Fix it? Wait for the next
security update?
Comment 5 Ludwig Nussel 2004-12-15 00:48:13 UTC 
Please fix it.
Comment 6 Peter Poeml 2004-12-16 19:53:27 UTC 
Olaf, are you planning to move the subversion from BETA to STABLE
sometimes?
Comment 7 Olaf Hering 2004-12-16 19:56:52 UTC 
Yes, but unlikely before Monday. Too much other things going on. I think these
viewcvs things can wait a few more hours. From a quick look, a few changes were
already made in cvs.
Comment 8 Peter Poeml 2004-12-16 20:12:20 UTC 
Okay, I will add the patch to the released packages then. is there an
id on cve.mitre.org?
Comment 9 Peter Poeml 2004-12-16 20:33:42 UTC 
Ludwig, you sent the patch to vendor-sec, did you already send it to
upstream as well?
Comment 10 Ludwig Nussel 2004-12-16 20:36:56 UTC 
* This comment was added by mail.
No. I've just asked about the status on vendor-sec. Since this one
might be releated to the apache.org viewcvs issue there might be an
embargo.
Comment 11 Ludwig Nussel 2004-12-16 20:38:51 UTC 
btw what is the difference between viewcvs and subversion-viewcvs?
Comment 12 Peter Poeml 2004-12-16 20:42:36 UTC 
once there was viewcvs (for CVS), later it was extended to cover
subversion as well. It's still called viewcvs though, and can still
handle CVS repositories, and our package name is subversion-viewcvs.
Comment 13 Olaf Hering 2004-12-16 20:46:17 UTC 
my idea was, rpm -i foo.src.rpm should not overwrite other files. 
rpm files should not be called blah.patch, but foo.blah.patch because blah.patch
can be found in several packages.
it just contains a tar file of the viewcvs cvs head.
Comment 14 Ludwig Nussel 2004-12-16 21:13:43 UTC 
* This comment was added by mail.
Date: Thu, 16 Dec 2004 13:10:28 +0000 (GMT)
From: Mark J Cox <mjc@redhat.com>
To: Ludwig Nussel <ludwig.nussel@suse.de>
Cc: vendor-sec@lst.de
Subject: Re: [vendor-sec] subversion-viewcvs XSS issues

|Anyone else affected by this? Do we need a CAN#? What is the embargo
|on the apache viewcvs thing and does it apply to this one as well?

oops, to actually answer your question this time; the viewcvs issue you've 
found is identical, as is the fix.  So use CAN-2004-1062 for this issue

Cheers, Mark

ASF fix:

diff -u -r1.17 debug.py
--- lib/debug.py        19 Nov 2004 06:38:39 -0000      1.17
+++ lib/debug.py        7 Dec 2004 07:04:48 -0000
 #

 import sys
+import cgi


 SHOW_TIMES = 0

 class ViewCVSException:
   def __init__(self, msg, status=None):
-    self.msg = msg
+    self.msg = cgi.escape(msg)
     self.status = status

   def __str__(self):
Comment 15 Peter Poeml 2004-12-16 23:31:42 UTC 
Wasn't there an issue that subversion-viewcvs ws not shipped on some
products, because it was marked INTERNAL?
Comment 16 Ludwig Nussel 2004-12-16 23:35:20 UTC 
* This comment was added by mail.
I've just mailed the original reporter (Michael Krax
<mikx@mikx.de>). He did not place an embargo, we can release updates
when ready. He did not know whether upstream was already notified.
Comment 17 Peter Poeml 2004-12-16 23:35:48 UTC 
Ludwig, is it enough to add subversion-viewcvs to the package string in the patchinfos? Or the full list of all subpackages?
Comment 18 Olaf Hering 2004-12-16 23:37:09 UTC 
I guess nothing depends on it, so just do the subpackage.
Comment 19 Ludwig Nussel 2004-12-16 23:39:26 UTC 
* This comment was added by mail.
Depends on whether there have been updates for subversion-viewcvs
already. If subversion-viewcvs was not contained in any previous
subversion updates a separate patchinfo can be used.
Comment 20 Peter Poeml 2004-12-16 23:42:02 UTC 
That's why I asked. Since it is cumbersome (and error-prone) to find out
whether there already was an update, and what was updated (I can't look
inside the old patchinfos) I hoped that you guys have a better idea...
Comment 21 Ludwig Nussel 2004-12-16 23:53:58 UTC 
* This comment was added by mail.
Doesn't look like it was already in any patch.
Comment 22 Peter Poeml 2004-12-17 00:08:37 UTC 
Thanks.

To my question in comment #15: I think it was not subversion-viewcvs but
subversion-tools which was marked INTERNAL. Never mind.
Comment 23 Peter Poeml 2004-12-17 00:28:26 UTC 
Created attachment 27143 [details]
patchinfo for box products
Comment 24 Peter Poeml 2004-12-17 00:28:45 UTC 
Created attachment 27144 [details]
patchinfo for sles
Comment 25 Peter Poeml 2004-12-17 00:54:23 UTC 
Note about the issue and patch sent to upstream author.
Olaf will take care of STABLE.
I'm reassigning to security-team for further processing.
Comment 26 Ludwig Nussel 2004-12-17 23:17:18 UTC 
swamp id 81
Comment 27 Marcus Meissner 2005-01-04 20:22:22 UTC 
packages released.
Comment 28 Thomas Biege 2009-10-13 20:03:08 UTC 
CVE-2004-1062: CVSS v2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)