savannah-hackers
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-hackers] RE: [ViewCVS-dev] Re: Cross-Site Scripting of CVS syt

From: Lucas Bruand
Subject: [Savannah-hackers] RE: [ViewCVS-dev] Re: Cross-Site Scripting of CVS sytem
Date: Tue, 26 Mar 2002 23:18:57 +0100 
As far as I can tell, this is javascript; What can you hurt except yourself
?
Same sort of stuff:
Under UNIX, once you have root access, you can destroy everything in the VFS
if you happen to use the security issue:
cat `rm -rf /*`
Notice the inverted quotes...

> -----Message d'origine-----
> De : address@hidden [mailto:address@hidden la
> part de office
> Envoye : mardi 26 mars 2002 11:00
> A : Greg Stein
> Cc : address@hidden; address@hidden; address@hidden
> Objet : [ViewCVS-dev] Re: Cross-Site Scripting of CVS sytem
>
>
> Hi,
>
> I found another CSS point in CVSview,
>
> if you access to the URL
> http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/viewcvs/?so
> rtby=rev"><script>alert("hello")</script>
> or
> http://subversions.gnu.org/cgi-bin/viewcvs/cvs-utils/CVSROOT/?sort
> by=rev"><script>alert("hello")</script>
> the script may run.
>
> I think that not only Internet Exploer but Netscape Navigator are affected
> by this new CSS point.
>
> I hope you hurry up to fix this. Otherwise I have to report this
> to Bugtraq without fix.
>
> Regards,
> --
> office
> address@hidden
> http://www.office.ac/
>
>
> On Wed, 13 Mar 2002 03:44:39 -0800
> Greg Stein <address@hidden> wrote:
>
> > On Wed, Mar 13, 2002 at 01:52:44PM +0900, office wrote:
> > > My name is 'office', an Internet user.
> > >
> > > I have found the vulnerability of cross-site scripting of CVS sytem,
> > > so report it.
> > >
> > > I wrote the report to Greg Stein, but I only received a mail auto
> > > replied.
> >
> > That's me. You just ran into my auto-responder :-)
> >
> > > And I found your address as the vulnerablity may be on ViewCVS
> > > system.
> >
> > Sure seems that way :-(
> >
> > > If you access to the URL including script code, like as
> > >
http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/viewcvs/?cvsroot=<script>aler
t("hello")</script>
>
> Hmm. That didn't do anything on my Mozilla client. I just got a text page
> saying that the cvs root didn't exist. What client are you using? What
> version of ViewCVS were you testing?
>
> >...
> > This vulnerability in the system in CVS and your reaction for this
report will
> > be published by me, adequately.
>
> Can modifying the URL actually be used to attack *another* person? If a
> person types in a malicious URL, then it would seem to affect just
> themselves. But if a person can type in something and attack *another*
> person, then this takes on a completely different meaning...
>
> Cheers,
> -g
>
> --
> Greg Stein, http://www.lyra.org/

_______________________________________________
viewcvs-dev mailing list
address@hidden
http://mailman.lyra.org/mailman/listinfo/viewcvs-dev
reply via email to
[Prev in Thread] Current Thread [Next in Thread]