Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAARZ5vpwcDbDCynB-8RUGZ07PodZF9hd2ctVddYG97+xaEiCbw@mail.gmail.com>
Date: Fri, 6 May 2016 00:18:24 +0530
From: Nitin Venkatesh <venkatesh.nitin@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2016-1236 - XSS Vulnerability in websvn 2.3.3-1.2+deb8u1

# Summary:
Vulnerability Type: Cross-site Scripting (XSS)
Package: websvn
Version: 2.3.3-1.2+deb8u1
CVE: CVE-2016-1236

# Description:
Having a directory or file in a repository with its filename containing a
XSS payload will cause it to be executed in various parts of the
application.

# Steps to reproduce the issue:
1. Clone a SVN repo that websvn has access to
2. Create a directory/file with its filename containing the XSS payload,
for example, "><img src=x onerror=alert(1)>
3. Add and commit the changes (new directory/file).
4. The payload is executed, when browsing the repository using websvn in
the browser.

# Suggested Patches:
Please use at your own discretion, the following patches might not solve
the issue entirely.
The escape() function used in the suggested patch was written by the
original developer and can be found in the include/command.php file.

revision.php - Modified
L148:
+ 'path' => escape($change->path)
- 'path' => $change->path,

log.php - Added
L326-328:
+ $listing[$index]['revadded'] = escape($listing[$index]['revadded']);
+ $listing[$index]['revdeleted'] = escape($listing[$index]['revdeleted']);
+ $listing[$index]['revmodified'] = escape($listing[$index]['revmodified']);

listing.php - Modified
L126:
+ $listing[$index]['filename'] = escape($file);
- $listing[$index]['filename'] = $file;

L140:
+ $listing[$index]['compare_box'] = '<input type="checkbox"
name="compare[]" value="'.escape($path.$file).'@...passrev.'"
onclick="checkCB(this)" />';
- $listing[$index]['compare_box'] = '<input type="checkbox"
name="compare[]" value="'.$path.$file.'@...passrev.'"
onclick="checkCB(this)" />';

comp.php - Modified
L384:
+ $listing[$index]['newpath'] = escape($absnode);
- $listing[$index]['newpath'] = $absnode;

# Events Timeline:
2016-04-29 - Discovered vulnerability
2016-04-29 - Reported to Debian Security Team
2016-04-30 - Acknowledgement received from Debian Security Team
2016-05-01 - CVE-2016-1236 assigned to the issue
2016-05-05 - Disclosing issue on oss-sec mailing list as advised

# Disclaimer:
Please use the information presented above responsibly, at your own
discretion. I will in no way be responsible for how this information is
used or misused.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.