New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS in changed paths when reviewing revision #311
Comments
|
Thank you for the report. It seems older version of viewvc has same problem. |
…hangeset 1.2.x: issue #311: HTML escape paths in change set.
…hangeset 1.1.x: issue #311: HTML escape paths in change set.
issue #311: HTML escape paths in change set.
|
Fixes merged. I'm requesting a CVE to cover this vulnerability. |
|
Workaround: Users can edit their ViewVC EZT view templates to manually HTML-escape changed paths during rendering. Locate in your template set's |
|
Many template engines automatically encode all variables. This way, one wouldn't have to remember to encode every variable manually. Would that work for ViewVC? |
|
Strictly speaking, ViewVC is using a template engine that's maintained elsewhere (EZT - https://github.com/gstein/ezt). In an ideal world, we'd be publishing packages that pulled in |
|
It seems the ezt in viewvc already has some support for HTML encoding, so perhaps not that many changes are needed. |
|
CVE-2023-22456 was assigned for this issue. |
|
I overlooked that copied from path should be also escaped. It was suggested by @jun66j5 on twitter. |
* lib/viewvc.py (view_revision)
found by: Jun Omae <jun66j5{_AT_}gmail.com>
* lib/viewvc.py (view_revision)
found by: Jun Omae <jun66j5{_AT_}gmail.com>
* lib/viewvc.py (view_revision)
found by: Jun Omae <jun66j5{_AT_}gmail.com>
* lib/viewvc.py (view_revision)
found by: Jun Omae <jun66j5{_AT_}gmail.com>
* lib/viewvc.py (view_revision)
found by: Jun Omae <jun66j5{_AT_}gmail.com>
* lib/viewvc.py (view_revision)
found by: Jun Omae <jun66j5{_AT_}gmail.com>
... and now fixed. @cmpilato I'm very sorry, but could you make new release again? |
. o O ( now where did I put that "sobbing obnoxiously" emoji? ) Yes, I can do so. It'll have to wait until tomorrow though. |
|
I've requested another CVE for this new variant. |
|
For the sake of those cruising this issue in the future, there are two low-severity cross-site scripting (XSS) attack vectors tracked in this one issue. Both require an attacker to have commit access to your Subversion repository, and to use that access to create versioned files with wonky names, and then to convince a user to navigate to the revision view in which said files were added, deleted, or modified. The second vector involves a further step, where the wonky-named file is copied or renamed inside Subversion.
|
|
To HTML-encode variables by default in ezt, pass the Of course, without any further changes this now double-encodes all variables. |
…CVE-2023-22464 Upstream issue: viewvc/viewvc#311 For CentOS/RHEL7, we add to our repository the ViewVC 1.1.30 RPM that is currently in testing on EPEL into our repository until it reaches stable. To test rebuild the package and deploy it on your dev instance. It should still work. Change-Id: I32c0985a752e7bf6f77fe7ff2f891e9ef0444477
Describe the bug
The filename is not properly escaped, and HTML in a filename is rendered in the browser. This is when viewing the changed file in a revision, behind the "View Changeset" link.
Steps to reproduce the behavior
The path shows
XSSin big letters, and when the mouse moves over it a JavaScript popup shows.Expected behavior
Path shows
<h1 onmouseover=alert'XSS'>XSS.Additional context
This is in the current master version, cf136ba.
The text was updated successfully, but these errors were encountered: