Issue metadata
Sign in to add a comment
|
Security: viewvc-1.1.22 xss exploit
Reported by
arnoldki...@gmail.com,
Jan 11 2018
|
||||||||||||||||||||||
Issue descriptionHost: src.chromium.org User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0 software:viewvc-1.1.22 1.DESCRIPTION OF VULNURABILITY: Cross-site scripting (XSS) vulnerability in the nav_path function in lib/viewvc.py in ViewVC before 1.0.14 and 1.1.x before 1.1.26 allows remote attackers to inject arbitrary web script or HTML via the nav_data name. 2.STEP TO REPRODUCE: a-open https://src.chromium.org/viewvc b-inspect element and go to network c-substitued methode GET to POST to look into server side d-view reponse of server: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <!-- ViewVC :: http://www.viewvc.org/ --> <head> <title>ViewVC Exception</title> </head> <body> <h3>An Exception Has Occurred</h3> <h4>Python Traceback</h4> <p><pre> Traceback (most recent call last): File "/usr/lib/viewvc/lib/viewvc.py", line 4844, in main request.run_viewvc() File "/usr/lib/viewvc/lib/viewvc.py", line 149, in run_viewvc for name, values in self.server.params().items(): File "/usr/lib/viewvc/lib/sapi.py", line 184, in params return cgi.parse() File "/usr/lib/python2.7/cgi.py", line 149, in parse ctype, pdict = parse_header(environ['CONTENT_TYPE']) File "/usr/lib/python2.7/UserDict.py", line 40, in __getitem__ raise KeyError(key) KeyError: 'CONTENT_TYPE' </pre></p> </body> </html> Escape some raw path data before handing off to templates * lib/viewvc.py (nav_path): Escape the 'name' property of navigation path components the same way we escape that of the 'root' path component. item = _item(name=part, href=None) to item = _item(name=request.server.escape(part), href=None)
,
Jan 11 2018
why i approve that version of viewvc-1.1.22 vulnerable and i'am no responsbale for give you how the exploitation make
,
Jan 18 2018
This is CVE-2017-5938, referenced here: https://github.com/viewvc/viewvc/blob/master/CHANGES We should make sure src.chromium.org is running the latest ViewVC, if it's not already.
,
Jan 18 2018
agable -- Can you assign an appropriate owner, if not you? Thanks.
,
Jan 18 2018
We are currently running viewvc 1.1.22, several versions out of date. vhang: please find an appropriate member of the labs team to update the installation of viewvc to 1.1.26 on the svn.golo host.
,
Jan 18 2018
,
Jan 18 2018
Please take a look and let me know if everything looks hunky-dory. https://src.chromium.org/viewvc
,
Jan 18 2018
Install notes:
1) download new tarball, tar zxf
2) cd $new_dir; ./viewvc-install
3) point it to /usr/lib/viewvc-$version (/usr/lib/viewvc-1.1.26)
4) cd /usr/lib/viewvc-$version
5) mkdir cgi-bin
6) for i in bin/cgi/viewvc.cgi bin/wsgi/viewvc.{fcgi,wsgi}; do cp $i cgi-bin/; done
7) mv viewvc.conf viewvc.conf_install
8) cp /etc/viewvc.conf .
9) cd /usr/lib
10) ln -sfvT viewvc-$version viewvc
Done.
,
Jan 18 2018
,
Jan 22 2018
,
Feb 8 2018
why i dont reward for this bug ???
,
Feb 8 2018
,
Apr 27 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 28
|
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Jan 11 2018