Secunia wrote: James Bercegay has reported two vulnerabilities in WebSVN, which can be exploited by malicious people to conduct cross-site scripting attacks and manipulate data. 1) Input passed in the URL to index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Input passed to the "rev" parameter in rss.php is not properly sanitised before being used. This can be exploited to overwrite arbitrary files via directory traversal attacks. Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled. The vulnerabilities are reported in version 2.0. Other versions may also be affected. SOLUTION: Edit the source code to ensure that input is properly sanitised. PROVIDED AND/OR DISCOVERED BY: James Bercegay, GulfTech Security Research Team ORIGINAL ADVISORY: GulfTech Security Research Team: http://www.gulftech.org/?node=research&article_id=00132-10202008
mailed upstream
WebSVN 2.1 was released on December 1st. [1] According to upstream bug tracker [2] the issues should be fixed. [1] http://www.websvn.info/news/websvn-2-1-0-released.html [2] http://websvn.tigris.org/issues/show_bug.cgi?id=179
Added www-apps/websvn-2.1.0 to the tree. Targets: amd64 x86
amd64/x86 stable, all arches done.
Removed insecure version. webapps done.
CVE-2008-5918 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5918): Cross-site scripting (XSS) vulnerability in the getParameterisedSelfUrl function in index.php in WebSVN 2.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO. CVE-2008-5919 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5919): Directory traversal vulnerability in rss.php in WebSVN 2.0 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to overwrite arbitrary files via directory traversal sequences in the rev parameter. CVE-2008-5920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5920): The create_anchors function in utils.inc in WebSVN 1.x allows remote attackers to execute arbitrary PHP code via a crafted username that is processed by the preg_replace function with the eval switch. CVE-2009-0240 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0240): listing.php in WebSVN 2.0 and possibly 1.7 beta, when using an SVN authz file, allows remote authenticated users to read changelogs or diffs for restricted projects via a modified repname parameter.
CVE-2008-5920 and CVE-2009-0240 would require a whiteboard change and a GLSA, but the versions are away since 1,5 months and users should already have upgraded. Opinions?
CVE-2008-5920 only seems to affect 1.x which has been superseded by a 2.x stable in 2007 -- no GLSA for that. We need to issue a glsa for CVE-2008-5919 and CVE-2009-0240 though, request filed.
GLSA 200903-20