Impact

The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the show_subdir_lastmod feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create.

Patches

Users should update to at least version 1.2.1 (if they are using a 1.2.x version of ViewVC) or 1.1.28 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds.

Workarounds

There are three workarounds:

1. Unless the naughtily-named file is actually desired in your repository, remove or rename its ,v backing file in your repository.
2. Disable show_subdir_lastmod in your viewvc.conf file.
3. Patch lib/viewvc.py:

index 2c38d6e3..487b4a16 100644
--- a/lib/viewvc.py
+++ b/lib/viewvc.py
@@ -2412,7 +2412,7 @@ def view_directory(request):
       if request.roottype == 'cvs' and file.rev is not None:
         row.rev = None
         if cfg.options.show_logs:
-          row.log_file = file.newest_file
+          row.log_file = request.server.escape(file.newest_file)
           row.log_rev = file.rev
 
       if request.roottype == 'svn':

References

See ViewVC issue #211 for details.