XSS vuln in cvsweb

Peter J. Philipp Thu, 14 Mar 2019 23:18:05 -0700

Hi all,

I have been notified by a wonderful security researcher that my site was
vulnerable to XSS attacks.  The first one was on software I wrote, and the
second one was on software I got from OpenBSD ports.  Not sure if I should
be writing this to the ports mailing list though.


I have written Marc Espie with a patch that I produced for cvsweb, but
haven't heard from him in 11 hours so I want to get this out to everyone.
The vuln was noticeable with this http string (but it's patched now):

https://centroid.eu/cgi-bin/cvsweb/aim64/pci/vgafb.c?f=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E

Similarily I have picked an arbitrary location on OpenBSD's source tree and put
the same string on it, you'll get an XSS vuln block in chrome for this:

https://cvsweb.openbsd.org/src/sbin/clri/clri.c?f=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E

Now for the patch I have written, it took me about 2 hours yesterday to get any
decent results, as I don't usually use perl and have written little in it.  But
here it is.  I have applied this directly on the cvsweb cgi, but really it
should be in the port's patches section.  I'm hoping someone can help me with
that when there is concensus that this patch is right.

----->

--- cvsweb.orig Thu Mar 14 18:30:06 2019
+++ cvsweb      Thu Mar 14 20:15:56 2019
@@ -2612,7 +2612,7 @@
                                sprintf(
                                        '%s/%s?annotate=%s%s', $scriptname,
                                        urlencode($where),     $_,
-                                       $barequery
+                                       htmlquote($barequery)
                                )
                        );
                }
@@ -2625,7 +2625,7 @@
                                        '[select for diffs]',
                                        sprintf(
                                                '%s?r1=%s%s', $scriptwhere,
-                                               $_,           $barequery
+                                               $_,           
htmlquote($barequery)
                                        )
                                );
                        } else {
@@ -2828,7 +2828,7 @@
 
        foreach (@stickyvars) {
                printf('<input type="hidden" name="%s" value="%s">', $_,
-                   $input{$_})
+                   htmlquote($input{$_}))
                    if (defined($input{$_})
                    && ((!defined($DEFAULTVALUE{$_})
                    || $input{$_} ne $DEFAULTVALUE{$_}) && $input{$_} ne ""));
@@ -3267,7 +3267,7 @@
                                        join ('', $scriptname,
                                        urlencode($wherepath),
                                        (!$last || $lastslash ? '/' : ''),
-                                       $query,
+                                       htmlquote($query),
                                        (!$last || $lastslash ? "#dirlist" : "")
                                ));
                        } else {    # do not make a link to the current dir
@@ -3508,6 +3508,7 @@
        # Special Characters; RFC 1866
        s/&/&amp;/g;
        s/\"/&quot;/g;
+       s/%22/&quot;/g;
        s/</&lt;/g;
        s/>/&gt;/g;
 

<-----

Best Regards,
-peter

XSS vuln in cvsweb

Reply via email to