Impact
The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the show_subdir_lastmod feature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create.
Patches
Users should update to at least version 1.2.1 (if they are using a 1.2.x version of ViewVC) or 1.1.28 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds.
Workarounds
There are three workarounds:
- Unless the naughtily-named file is actually desired in your repository, remove or rename its
,v backing file in your repository.
- Disable
show_subdir_lastmod in your viewvc.conf file.
- Patch
lib/viewvc.py:
index 2c38d6e3..487b4a16 100644
--- a/lib/viewvc.py
+++ b/lib/viewvc.py
@@ -2412,7 +2412,7 @@ def view_directory(request):
if request.roottype == 'cvs' and file.rev is not None:
row.rev = None
if cfg.options.show_logs:
- row.log_file = file.newest_file
+ row.log_file = request.server.escape(file.newest_file)
row.log_rev = file.rev
if request.roottype == 'svn':
References
See ViewVC issue #211 for details.
Impact
The impact of this vulnerability is mitigated by the need for an attacker to have commit privileges to a CVS repository exposed by an otherwise trusted ViewVC instance that also has the
show_subdir_lastmodfeature enabled. The attack vector involves files with unsafe names (names that, when embedded into an HTML stream, would cause the browser to run unwanted code), which themselves can be challenging to create.Patches
Users should update to at least version 1.2.1 (if they are using a 1.2.x version of ViewVC) or 1.1.28 (if they are using a 1.1.x version). ViewVC 1.0.x is no longer supported, so users of that release lineage should implement one of the following workarounds.
Workarounds
There are three workarounds:
,vbacking file in your repository.show_subdir_lastmodin yourviewvc.conffile.lib/viewvc.py:References
See ViewVC issue #211 for details.