Impact
The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the show_subdir_lastmod
feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create.
Patches
Users should update to at least version 1.2.1 (if they are using a 1.2.x version of ViewVC) or 1.1.28 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds.
Workarounds
There are three workarounds:
- Unless the naughtily-named file is actually desired in your repository, remove or rename its
,v
backing file in your repository.
- Disable
show_subdir_lastmod
in your viewvc.conf
file.
- Patch
lib/viewvc.py
:
index 2c38d6e3..487b4a16 100644
--- a/lib/viewvc.py
+++ b/lib/viewvc.py
@@ -2412,7 +2412,7 @@ def view_directory(request):
if request.roottype == 'cvs' and file.rev is not None:
row.rev = None
if cfg.options.show_logs:
- row.log_file = file.newest_file
+ row.log_file = request.server.escape(file.newest_file)
row.log_rev = file.rev
if request.roottype == 'svn':
References
See ViewVC issue #211 for details.
Impact
The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the
show_subdir_lastmod
feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create.Patches
Users should update to at least version 1.2.1 (if they are using a 1.2.x version of ViewVC) or 1.1.28 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds.
Workarounds
There are three workarounds:
,v
backing file in your repository.show_subdir_lastmod
in yourviewvc.conf
file.lib/viewvc.py
:References
See ViewVC issue #211 for details.