A vulnerability has been reported in WebSVN, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed via the URL (e.g. the "path" parameter in filedetails.php) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. The vulnerability is reported in version 2.0rc4. Other versions may also be affected. Solution: Edit the source code to ensure that input is properly sanitised.
setting status and cc'ing herds. web-apps, please advise.
Adding uberlord since he is the maintainer. Currently marked as no-herd but this could certainly also be added to our herd. In any case I do not really know what to do about this bug. It would require a certain amount of digging in order to find out what exactly needs patching. Maybe uberlord has more details.
Well, websvn svn repo is updated, but there's nothing there about this, nor is there a trouble ticket open for this that I can see. Where is the vuln reported? Is there sample code to exploit? Is there a possible patch? Has upstream been notified? BTW feel free to add this to your herd - I hardly use this anymore.
The vuln is reported here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3056 But I didn't see any exploit code nor patch on the reference urls... I'm clearly no PHP guru so I can't help here, do you guys know how to fix this issue?
No. I don't know much PHP myself.
Sent a mail to their dev list asking for further details.
Created attachment 127954 [details] Ebuild for websvn-2.0 Here's a working ebuild for websvn-2.0 final which is out since Monday, August 13.
Thanks Hans. I looked the code, it seems that this issue was adressed with 2.0. Web-apps, please bump.
Thanks for the ebuild! Worked fine and made my life easier. The websvn devs confirmed that the bug has been closed in 2.0 (http://websvn.tigris.org/servlets/ReadMsg?list=dev&msgNo=1328) I suggest to stabilize websvn-2.0 on x86 and remove the old (1.61) insecure ebuild then. @uberlord: I added web-apps as herd but did not remove you as maintainer yet. Depends on you if you want to remove yourself there or not :)
x86 please test and mark stable.
x86 stable, last (and only) arch so open for GLSA vote now. Gunnar, even changes in metadata.xml should result in a ChangeLog entry.
classic XSS...I vote NO.
Voting NO and closing. @wrobel,uberlord: Maybe I'm just lazy wrt metadata.xml but I normally only CC herds and take it for granted that maintainers are on the herd alias as well.
@opfer: yes, sorry, I noticed this morning that I did use my commit wrapper in an incorrect fashion. so there were two or three commits without the entry but this won't happen again. @jaervosz: the web-apps herd is not too well organized at the moment :) trying to get back into shape