oss-sec mailing list archives
CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input
From: Reed Loden <reed () reedloden com>
Date: Mon, 29 Mar 2010 17:52:46 -0500
Just received an announcement stating ViewVC 1.1.5 and 1.0.11 were released today (right on the heels of 1.1.4 and 1.0.10, for which I still haven't received a CVE). Looks like they fix an XSS that needs a CVE assigned. "security fix: escape user-provided search_re input to avoid XSS attack" http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?r1=2342&r2=2359&pathrev=HEAD Here's the patch for the XSS: http://viewvc.tigris.org/source/browse/viewvc?view=rev&revision=2344 """ There were too many ways to do something as simple as HTML escaping in the ViewVC codebase. Simplify, conjoin, remove, etc. * lib/sapi.py (escape): New function. *The* preferred HTML-escaping mechanism. (Server.escape): New common Server object escape mechanism (which uses the aforementioned escape(), of course). (CgiServer.escape, WsgiServer.escape, AspServer.escape, ModPythonServer.escape): Lose as unnecessary. * lib/viewvc.py (Request.get_form): Escape hidden form variable names and values. (htmlify): Remove. (): Replace all uses of cgi.escape() and htmlify() with (directly or indirectly) sapi.escape(). * lib/query.py (main): Use server.escape() instead of cgi.escape(). * lib/blame.py (HTMLBlameSource.__getitem__): Use sapi.escape() instead of cgi.escape(). * lib/idiff.py (_mdiff_split, _differ_split): Use sapi.escape() instead of cgi.escape(). """ ~reed -- Reed Loden - <reed () reedloden com>
Attachment:
_bin
Description:
Current thread:
- CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input Reed Loden (Mar 29)
- Re: CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input Secunia Research (Mar 30)
- Re: CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input Reed Loden (Mar 30)
- Re: CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input Reed Loden (Mar 30)
- Re: CVE Request: ViewVC 1.1.5 / 1.0.11 -- XSS via user-provided 'search_re' input Steven M. Christey (Mar 30)