Bug 243852 (CVE-2008-5918)

Summary:	www-apps/websvn<=2.0 Multiple vulnerabilities (CVE-2008-{5918,5919},CVE-2009-0240)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://secunia.com/advisories/32338/
Whiteboard:	B3 [glsa]
Package list:		Runtime testing required:	---

Description Robert Buchholz (RETIRED) gentoo-dev

2008-10-24 17:05:13 UTC

Secunia wrote:
James Bercegay has reported two vulnerabilities in WebSVN, which can
be exploited by malicious people to conduct cross-site scripting
attacks and manipulate data.

1) Input passed in the URL to index.php is not properly sanitised
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.

2) Input passed to the "rev" parameter in rss.php is not properly
sanitised before being used. This can be exploited to overwrite
arbitrary files via directory traversal attacks.

Successful exploitation of this vulnerability requires that
"magic_quotes_gpc" is disabled.

The vulnerabilities are reported in version 2.0. Other versions may
also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
James Bercegay, GulfTech Security Research Team

ORIGINAL ADVISORY:
GulfTech Security Research Team:
http://www.gulftech.org/?node=research&article_id=00132-10202008

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-10-24 17:09:26 UTC

mailed upstream

Comment 2 Alex Legler (RETIRED) archtester

2008-12-03 13:21:56 UTC

WebSVN 2.1 was released on December 1st. [1]
According to upstream bug tracker [2] the issues should be fixed. 

[1] http://www.websvn.info/news/websvn-2-1-0-released.html
[2] http://websvn.tigris.org/issues/show_bug.cgi?id=179

Comment 3 Gunnar Wrobel (RETIRED) gentoo-dev

2008-12-03 20:12:42 UTC

Added www-apps/websvn-2.1.0 to the tree.

Targets:

  amd64 x86

Comment 4 Markus Meier gentoo-dev

2008-12-03 22:21:31 UTC

amd64/x86 stable, all arches done.

Comment 5 Gunnar Wrobel (RETIRED) gentoo-dev

2008-12-04 04:19:10 UTC

Removed insecure version. webapps done.

Comment 6 Stefan Behte (RETIRED) gentoo-dev

2009-01-23 21:56:43 UTC

CVE-2008-5918 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5918):
  Cross-site scripting (XSS) vulnerability in the
  getParameterisedSelfUrl function in index.php in WebSVN 2.0 and
  earlier allows remote attackers to inject arbitrary web script or
  HTML via the PATH_INFO.

CVE-2008-5919 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5919):
  Directory traversal vulnerability in rss.php in WebSVN 2.0 and
  earlier, when magic_quotes_gpc is disabled, allows remote attackers
  to overwrite arbitrary files via directory traversal sequences in the
  rev parameter.

CVE-2008-5920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5920):
  The create_anchors function in utils.inc in WebSVN 1.x allows remote
  attackers to execute arbitrary PHP code via a crafted username that
  is processed by the preg_replace function with the eval switch.

CVE-2009-0240 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0240):
  listing.php in WebSVN 2.0 and possibly 1.7 beta, when using an SVN
  authz file, allows remote authenticated users to read changelogs or
  diffs for restricted projects via a modified repname parameter.

Comment 7 Stefan Behte (RETIRED) gentoo-dev

2009-01-23 22:00:40 UTC

CVE-2008-5920 and CVE-2009-0240 would require a whiteboard change and a GLSA, but the versions are away since 1,5 months and users should already have upgraded.
Opinions?

Comment 8 Robert Buchholz (RETIRED) gentoo-dev

2009-01-24 11:43:14 UTC

CVE-2008-5920 only seems to affect 1.x which has been superseded by a 2.x stable in 2007 -- no GLSA for that. We need to issue a glsa for CVE-2008-5919 and CVE-2009-0240 though, request filed.

Comment 9 Robert Buchholz (RETIRED) gentoo-dev

2009-03-09 14:02:41 UTC

GLSA 200903-20