Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 243852 (CVE-2008-5918) - www-apps/websvn<=2.0 Multiple vulnerabilities (CVE-2008-{5918,5919},CVE-2009-0240)
Summary: www-apps/websvn<=2.0 Multiple vulnerabilities (CVE-2008-{5918,5919},CVE-2009-...
Status: RESOLVED FIXED
Alias: CVE-2008-5918
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/32338/
Whiteboard: B3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2008-10-24 17:05 UTC by Robert Buchholz (RETIRED)
Modified: 2009-03-09 14:02 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-10-24 17:05:13 UTC
Secunia wrote:
James Bercegay has reported two vulnerabilities in WebSVN, which can
be exploited by malicious people to conduct cross-site scripting
attacks and manipulate data.

1) Input passed in the URL to index.php is not properly sanitised
before being returned to the user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.

2) Input passed to the "rev" parameter in rss.php is not properly
sanitised before being used. This can be exploited to overwrite
arbitrary files via directory traversal attacks.

Successful exploitation of this vulnerability requires that
"magic_quotes_gpc" is disabled.

The vulnerabilities are reported in version 2.0. Other versions may
also be affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
James Bercegay, GulfTech Security Research Team

ORIGINAL ADVISORY:
GulfTech Security Research Team:
http://www.gulftech.org/?node=research&article_id=00132-10202008
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-10-24 17:09:26 UTC
mailed upstream
Comment 2 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2008-12-03 13:21:56 UTC
WebSVN 2.1 was released on December 1st. [1]
According to upstream bug tracker [2] the issues should be fixed. 

[1] http://www.websvn.info/news/websvn-2-1-0-released.html
[2] http://websvn.tigris.org/issues/show_bug.cgi?id=179
Comment 3 Gunnar Wrobel (RETIRED) gentoo-dev 2008-12-03 20:12:42 UTC
Added www-apps/websvn-2.1.0 to the tree.

Targets:

  amd64 x86
Comment 4 Markus Meier gentoo-dev 2008-12-03 22:21:31 UTC
amd64/x86 stable, all arches done.
Comment 5 Gunnar Wrobel (RETIRED) gentoo-dev 2008-12-04 04:19:10 UTC
Removed insecure version. webapps done.
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-23 21:56:43 UTC
CVE-2008-5918 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5918):
  Cross-site scripting (XSS) vulnerability in the
  getParameterisedSelfUrl function in index.php in WebSVN 2.0 and
  earlier allows remote attackers to inject arbitrary web script or
  HTML via the PATH_INFO.

CVE-2008-5919 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5919):
  Directory traversal vulnerability in rss.php in WebSVN 2.0 and
  earlier, when magic_quotes_gpc is disabled, allows remote attackers
  to overwrite arbitrary files via directory traversal sequences in the
  rev parameter.

CVE-2008-5920 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-5920):
  The create_anchors function in utils.inc in WebSVN 1.x allows remote
  attackers to execute arbitrary PHP code via a crafted username that
  is processed by the preg_replace function with the eval switch.

CVE-2009-0240 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0240):
  listing.php in WebSVN 2.0 and possibly 1.7 beta, when using an SVN
  authz file, allows remote authenticated users to read changelogs or
  diffs for restricted projects via a modified repname parameter.

Comment 7 Stefan Behte (RETIRED) gentoo-dev Security 2009-01-23 22:00:40 UTC
CVE-2008-5920 and CVE-2009-0240 would require a whiteboard change and a GLSA, but the versions are away since 1,5 months and users should already have upgraded.
Opinions?
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2009-01-24 11:43:14 UTC
CVE-2008-5920 only seems to affect 1.x which has been superseded by a 2.x stable in 2007 -- no GLSA for that. We need to issue a glsa for CVE-2008-5919 and CVE-2009-0240 though, request filed.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-03-09 14:02:41 UTC
GLSA 200903-20