ViewCVS存在跨站脚本可执行漏洞

发布时间：2002-05-28
更新时间：2002-05-28
严重程度：中
威胁程度：用户敏感信息泄露
错误类型：输入验证错误
利用方式：客户机模式

BUGTRAQ ID：4818

受影响系统

ViewCVS ViewCVS 0.8
   - Apache Software Foundation Apache 1.3.20
   - Apache Software Foundation Apache 1.3.20 win32
   - Apache Software Foundation Apache 1.3.22
   - Apache Software Foundation Apache 1.3.22 win32
   - Apache Software Foundation Apache 1.3.23
   - Apache Software Foundation Apache 1.3.23 win32
   - Apache Software Foundation Apache 1.3.24
   - Apache Software Foundation Apache 1.3.24 win32
ViewCVS ViewCVS 0.9
   - Apache Software Foundation Apache 1.3.20
   - Apache Software Foundation Apache 1.3.20 win32
   - Apache Software Foundation Apache 1.3.22
   - Apache Software Foundation Apache 1.3.22 win32
   - Apache Software Foundation Apache 1.3.23
   - Apache Software Foundation Apache 1.3.23 win32
   - Apache Software Foundation Apache 1.3.24
   - Apache Software Foundation Apache 1.3.24 win32
ViewCVS ViewCVS 0.9.1
   - Apache Software Foundation Apache 1.3.20
   - Apache Software Foundation Apache 1.3.20 win32
   - Apache Software Foundation Apache 1.3.22
   - Apache Software Foundation Apache 1.3.22 win32
   - Apache Software Foundation Apache 1.3.23
   - Apache Software Foundation Apache 1.3.23 win32
   - Apache Software Foundation Apache 1.3.24
   - Apache Software Foundation Apache 1.3.24 win32
ViewCVS ViewCVS 0.9.2
   - Apache Software Foundation Apache 1.3.20
   - Apache Software Foundation Apache 1.3.20 win32
   - Apache Software Foundation Apache 1.3.22
   - Apache Software Foundation Apache 1.3.22 win32
   - Apache Software Foundation Apache 1.3.23
   - Apache Software Foundation Apache 1.3.23 win32
   - Apache Software Foundation Apache 1.3.24
   - Apache Software Foundation Apache 1.3.24 win32

详细描述
ViewCVS是版本管理软件CVS的其中一脚本。

其中对部分URL参数缺少正确的顾虑，可导致攻击者在URL参数中插入插入HTML代码，或者JAVASCRIPT代码，当其他用户查看时可导致脚本代码在用户浏览器中执行，导致COOKIE等信息泄露。

测试代码
http://target/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>alert("hello")</script>

http://target/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev"><script>alert("hello")</script>

解决方案
补丁程序：

Kenji Suzuki <kenji@po.ganseki.ne.jp>提供的补丁程序：

--- viewcvs.py.orig Fri Dec 14 23:14:39 2001
+++ viewcvs.py Sun Mar 31 15:24:34 2002
@@ -172,7 +172,7 @@
# parse the query params into a dictionary (and use defaults)
query_dict = default_settings.copy()
for name, values in cgi.parse().items():
- query_dict[name] = values[0]
+ query_dict[name] = cgi.escape(values[0])

# set up query strings, prefixed by question marks and ampersands
query = sticky_query(query_dict)

--------------------------------------------------------------------

Taku YASUI <tach@sourceforge.jp>提供的补丁程序：

RCS file: /cvsroot/viewcvs/viewcvs/lib/viewcvs.py,v
retrieving revision 1.107
retrieving revision 1.108
diff -u -r1.107 -r1.108
--- viewcvs/viewcvs/lib/viewcvs.py 2002/02/22 09:20:46 1.107
+++ viewcvs/viewcvs/lib/viewcvs.py 2002/04/01 01:32:16 1.108
@@ -180,8 +180,14 @@

# parse the query params into a dictionary (and use defaults)
query_dict = default_settings.copy()
+
+ # RE that ViewCVS doesn't use in any URL, but a CSS attack might
+ re_url_validate = re.compile('\'|"|<|>')
for name, values in cgi.parse().items():
- query_dict[name] = values[0]
+ # do not accept values that contain non-ViewCVS characters
+ # except for search
+ if not re.search(re_url_validate, values[0]) or name == 'search':
+ query_dict[name] = values[0]

# set up query strings, prefixed by question marks and ampersands
query = sticky_query(query_dict)

相关信息
office <office@office.ac>.
参考：http://online.securityfocus.com/archive/1/273102
相关主页：http://viewcvs.sourceforge.net/

最近严重漏洞

ViewCVS存在跨站脚本可执行漏洞