Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS vulnerability: CVS lastlog filename not escaped #211

Closed
cmpilato opened this issue Mar 26, 2020 · 2 comments
Closed

XSS vulnerability: CVS lastlog filename not escaped #211

cmpilato opened this issue Mar 26, 2020 · 2 comments
Labels
Milestone

Comments

@cmpilato
Copy link
Contributor

Describe the bug

When the show_subdir_lastmod option is enabled, ViewVC shows for directories in the directory view the log message of the most recently modified child thereof, along with the child file's name and revision number. Unfortunately, the child file's name is not properly HTML-escaped.

Steps to reproduce the behavior

  1. In a CVS repository, copy the ,v backing file for any non-dead versioned file into an otherwise empty subdirectory of the repository.
$ cd /opt/cvs/MyCVSRepository
$ mkdir new-module
$ cp some/existing/file.v 'new-module/<img src="#" onerror="alert(1)">.txt,v'
  1. Ensure that show_subdir_lastmod is enabled in your viewvc.conf file (restarting any relevant servers).
  2. In ViewVC, visit the parent directory of the newly created file. ViewVC will pass the name of your newly created file (minus the ,v bit) to the browser without escaping that name for safe HTML transport. In this specific example, a JavaScript alert dialog will appear with the message "1".

Expected behavior

ViewVC should relay the name of the last-modified file, properly escaped.

@cmpilato
Copy link
Contributor Author

Fixed in master; released in 1.2.1 and v1.1.28.

@cmpilato cmpilato added this to the 1.2.1 milestone Mar 26, 2020
@atoptsoglou
Copy link

CVE-2020-5283 was assigned for this issue [1]

[1] https://github.com/viewvc/viewvc/blob/master/notes/SECURITY.md

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants