ViewVC UTF-7编码跨站脚本攻击漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193120 漏洞类型 跨站脚本
发布时间 2006-10-20 更新时间 2006-10-23
CVE编号 CVE-2006-5442 CNNVD-ID CNNVD-200610-346
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2006100120
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-346
|漏洞详情
ViewVC1.0.2和更早的版本并未在其HTTP报头或HTML文档中指明字符集,远程攻击者可以执行跨站脚本(XSS)攻击,通过view来注入任意UTF-7编码的JavaScript代码。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Happy Python Hackers Project
                        www.hardened-php.net

-= Security  Advisory =-

Advisory: ViewVC Undefined Charset UTF-7 XSS Vulnerability
 Release Date: 2006/10/15
Last Modified: 2006/10/15
       Author: Stefan Esser [sesser (at) hardened-php (dot) net [email concealed]]

Application: ViewVC <= 1.0.2
     Severity: A missing default charset definition allows XSS attacks
               against browsers interpreting UTF-7 (IE, mozilla family)
         Risk: Medium
Vendor Status: Vendor released 1.0.3 which according to vendor fixes 
               this vulnerability
   References: http://www.hardened-php.net/advisory_102006.134.html

Description:

Quote from http://www.viewvc.org
   "ViewVC is a browser interface for CVS and Subversion version 
    control repositories. It generates templatized HTML to present 
    navigable directory, revision, and change log listings. It can 
    display specific versions of files as well as diffs between 
    those versions. Basically, ViewVC provides the bulk of the 
    report-like functionality you expect out of your version 
    control tool, but much more prettily than the average textual 
    command-line program output."
    
   It was discovered that ViewVC is neither sending a charset HTTP 
   header nor specifying a charset in the HTML body. Therefore it
   is possible to trick several browsers into decoding ViewVC pages
   UTF-7. This allows attackers to inject arbitrary UTF-7 encoded
   Java-Script code into the output.

Please note that these UTF-7 attacks against sites with missing
   charset definitions are also exploitable in the mozilla browser
   family (seamonkey, firefox, ...). Advisories from different
   parties that describe similar vulnerabilities usually claim
   that only Internet Explorer with activated auto-detection is
   vulnerable. In reality the mozilla browser family is even more
   affected, because you can attack them no matter if charset 
   auto-detection is turned on or off.

Proof of Concept:

The Hardened-PHP Project is not going to release a proof of
   concept exploit to the general public.

Disclosure Timeline:

07. October 2006 - Notified ViewVC developers
   13. October 2006 - ViewVC developers release 1.0.3
   15. October 2006 - Public Disclosure

Recommendation:

It is strongly recommended to upgrade to the newest version of
   ViewVC 1.0.3 which you can download at:

http://viewvc.tigris.org/servlets/ProjectDocumentList?folderID=6004

GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub  1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
   Key fingerprint = 066F A6D0 E57E 9936 9082  7E52 4439 14CC 0A86 4AA1

Copyright 2006 Stefan Esser. All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFFMlChRDkUzAqGSqERAv5fAJ0VZT36wYntwGoonHL2Q3GEeUKrCACgssem
aVuWdWmQZL1mbqnIHt81fJ8=
=cIE+
-----END PGP SIGNATURE-----
|参考资料

来源:XF
名称:viewvc-utf7-xss(29576)
链接:http://xforce.iss.net/xforce/xfdb/29576
来源:BUGTRAQ
名称:20061015Advisory10/2006:ViewVCUndefinedCharsetUTF-7XSSVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/448762/100/0/threaded
来源:MISC
链接:http://www.hardened-php.net/advisory_102006.134.html
来源:viewvc.tigris.org
链接:http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?rev=HEAD
来源:MLIST
名称:[announce]20061013ViewVC1.0.3released[SECURITYFIXES]
链接:http://viewvc.tigris.org/servlets/ReadMsg?list=announce&msgNo=5&raw=true
来源:SECUNIA
名称:22395
链接:http://secunia.com/advisories/22395
来源:BID
名称:20543
链接:http://www.securityfocus.com/bid/20543
来源:SREASON
名称:1755
链接:http://securityreason.com/securityalert/1755