|
ViewCVS Cross-Site Scripting Vulnerability
Solution: The following untested patches have been made available by Kenji Suzuki <kenji@po.ganseki.ne.jp>: --- viewcvs.py.orig Fri Dec 14 23:14:39 2001 +++ viewcvs.py Sun Mar 31 15:24:34 2002 @@ -172,7 +172,7 @@ # parse the query params into a dictionary (and use defaults) query_dict = default_settings.copy() for name, values in cgi.parse().items(): - query_dict[name] = values[0] + query_dict[name] = cgi.escape(values[0]) # set up query strings, prefixed by question marks and ampersands query = sticky_query(query_dict) Additionally, Taku YASUI <tach@sourceforge.jp> also released an untested patch: =================================================================== RCS file: /cvsroot/viewcvs/viewcvs/lib/viewcvs.py,v retrieving revision 1.107 retrieving revision 1.108 diff -u -r1.107 -r1.108 --- viewcvs/viewcvs/lib/viewcvs.py 2002/02/22 09:20:46 1.107 +++ viewcvs/viewcvs/lib/viewcvs.py 2002/04/01 01:32:16 1.108 @@ -180,8 +180,14 @@ # parse the query params into a dictionary (and use defaults) query_dict = default_settings.copy() + + # RE that ViewCVS doesn't use in any URL, but a CSS attack might + re_url_validate = re.compile('\'|"|<|>') for name, values in cgi.parse().items(): - query_dict[name] = values[0] + # do not accept values that contain non-ViewCVS characters + # except for search + if not re.search(re_url_validate, values[0]) or name == 'search': + query_dict[name] = values[0] # set up query strings, prefixed by question marks and ampersands query = sticky_query(query_dict) Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>. |
|
 Privacy Statement |
