Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 180879 - www-apps/websvn < 2.0 XSS vulnerability (CVE-2007-3056)
Summary: www-apps/websvn < 2.0 XSS vulnerability (CVE-2007-3056)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL: http://secunia.com/advisories/25532/
Whiteboard: B4 [noglsa] p-y
Keywords:
Depends on:
Blocks:
 
Reported: 2007-06-04 17:22 UTC by Pierre-Yves Rofes (RETIRED)
Modified: 2007-08-14 17:53 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Ebuild for websvn-2.0 (websvn-2.0.ebuild,1.36 KB, text/plain)
2007-08-13 15:28 UTC, Hans Rakers
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-04 17:22:05 UTC
A vulnerability has been reported in WebSVN, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the URL (e.g. the "path" parameter in filedetails.php) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is reported in version 2.0rc4. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.
Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-06-04 17:23:01 UTC
setting status and cc'ing herds. web-apps, please advise.
Comment 2 Gunnar Wrobel (RETIRED) gentoo-dev 2007-08-09 12:58:48 UTC
Adding uberlord since he is the maintainer. Currently marked as no-herd but this could certainly also be added to our herd.

In any case I do not really know what to do about this bug. It would require a certain amount of digging in order to find out what exactly needs patching. Maybe uberlord has more details.
Comment 3 Roy Marples (RETIRED) gentoo-dev 2007-08-09 17:04:05 UTC
Well, websvn svn repo is updated, but there's nothing there about this, nor is there a trouble ticket open for this that I can see.

Where is the vuln reported? Is there sample code to exploit? Is there a possible patch? Has upstream been notified?

BTW feel free to add this to your herd - I hardly use this anymore.
Comment 4 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-09 17:27:27 UTC
The vuln is reported here:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3056
But I didn't see any exploit code nor patch on the reference urls...
I'm clearly no PHP guru so I can't help here, do you guys know how to fix this issue?
Comment 5 Roy Marples (RETIRED) gentoo-dev 2007-08-09 18:22:23 UTC
No. I don't know much PHP myself.
Comment 6 Gunnar Wrobel (RETIRED) gentoo-dev 2007-08-10 05:00:16 UTC
Sent a mail to their dev list asking for further details.
Comment 7 Hans Rakers 2007-08-13 15:28:40 UTC
Created attachment 127954 [details]
Ebuild for websvn-2.0

Here's a working ebuild for websvn-2.0 final which is out since Monday, August 13.
Comment 8 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-13 16:57:59 UTC
Thanks Hans. I looked the code, it seems that this issue was adressed with 2.0. Web-apps, please bump.
Comment 9 Gunnar Wrobel (RETIRED) gentoo-dev 2007-08-14 06:36:34 UTC
Thanks for the ebuild! Worked fine and made my life easier.

The websvn devs confirmed that the bug has been closed in 2.0 (http://websvn.tigris.org/servlets/ReadMsg?list=dev&msgNo=1328)

I suggest to stabilize websvn-2.0 on x86 and remove the old (1.61) insecure ebuild then.

@uberlord: I added web-apps as herd but did not remove you as maintainer yet. Depends on you if you want to remove yourself there or not :)
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-14 06:49:48 UTC
x86 please test and mark stable. 

Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2007-08-14 17:33:21 UTC
x86 stable, last (and only) arch so open for GLSA vote now.  Gunnar, even changes in metadata.xml should result in a ChangeLog entry.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-14 17:40:29 UTC
classic XSS...I vote NO.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-08-14 17:43:59 UTC
Voting NO and closing.

@wrobel,uberlord: Maybe I'm just lazy wrt metadata.xml but I normally only CC herds and take it for granted that maintainers are on the herd alias as well.
Comment 14 Gunnar Wrobel (RETIRED) gentoo-dev 2007-08-14 17:53:37 UTC
@opfer: yes, sorry, I noticed this morning that I did use my commit wrapper in an incorrect fashion. so there were two or three commits without the entry but this won't happen again.

@jaervosz: the web-apps herd is not too well organized at the moment :) trying to get back into shape