[Savannah-hackers] Re: Cross-Site Scripting of CVS sytem

[office]

Hi,

I found another CSS point in CVSview,

if you access to the URL
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?sortby=rev";><script>alert("hello")</script>
or
http://subversions.gnu.org/cgi-bin/viewcvs/cvs-utils/CVSROOT/?sortby=rev";><script>alert("hello")</script>
the script may run.

I think that not only Internet Exploer but Netscape Navigator are affected
by this new CSS point.

I hope you hurry up to fix this. Otherwise I have to report this to Bugtraq 
without fix.

Regards,
--
office
address@hidden
http://www.office.ac/


On Wed, 13 Mar 2002 03:44:39 -0800
Greg Stein <address@hidden> wrote:

> On Wed, Mar 13, 2002 at 01:52:44PM +0900, office wrote:
> > My name is 'office', an Internet user.
> > 
> > I have found the vulnerability of cross-site scripting of CVS sytem,
> > so report it.
> > 
> > I wrote the report to Greg Stein, but I only received a mail auto 
> > replied.
> 
> That's me. You just ran into my auto-responder :-)
> 
> > And I found your address as the vulnerablity may be on ViewCVS
> > system.
> 
> Sure seems that way :-(
> 
> > If you access to the URL including script code, like as
> > http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>alert("hello")</script>
> 
> Hmm. That didn't do anything on my Mozilla client. I just got a text page
> saying that the cvs root didn't exist. What client are you using? What
> version of ViewCVS were you testing?
> 
> >...
> > This vulnerability in the system in CVS and your reaction for this report 
> > will
> > be published by me, adequately.
> 
> Can modifying the URL actually be used to attack *another* person? If a
> person types in a malicious URL, then it would seem to affect just
> themselves. But if a person can type in something and attack *another*
> person, then this takes on a completely different meaning...
> 
> Cheers,
> -g
> 
> -- 
> Greg Stein, http://www.lyra.org/