XSS vuln in cvsweb

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

XSS vuln in cvsweb

Peter J. Philipp-3
Hi all,

I have been notified by a wonderful security researcher that my site was
vulnerable to XSS attacks.  The first one was on software I wrote, and the
second one was on software I got from OpenBSD ports.  Not sure if I should
be writing this to the ports mailing list though.

I have written Marc Espie with a patch that I produced for cvsweb, but
haven't heard from him in 11 hours so I want to get this out to everyone.
The vuln was noticeable with this http string (but it's patched now):

https://centroid.eu/cgi-bin/cvsweb/aim64/pci/vgafb.c?f=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E

Similarily I have picked an arbitrary location on OpenBSD's source tree and put
the same string on it, you'll get an XSS vuln block in chrome for this:

https://cvsweb.openbsd.org/src/sbin/clri/clri.c?f=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E

Now for the patch I have written, it took me about 2 hours yesterday to get any
decent results, as I don't usually use perl and have written little in it.  But
here it is.  I have applied this directly on the cvsweb cgi, but really it
should be in the port's patches section.  I'm hoping someone can help me with
that when there is concensus that this patch is right.

----->

--- cvsweb.orig Thu Mar 14 18:30:06 2019
+++ cvsweb Thu Mar 14 20:15:56 2019
@@ -2612,7 +2612,7 @@
  sprintf(
  '%s/%s?annotate=%s%s', $scriptname,
  urlencode($where),     $_,
- $barequery
+ htmlquote($barequery)
  )
  );
  }
@@ -2625,7 +2625,7 @@
  '[select for diffs]',
  sprintf(
  '%s?r1=%s%s', $scriptwhere,
- $_,           $barequery
+ $_,           htmlquote($barequery)
  )
  );
  } else {
@@ -2828,7 +2828,7 @@
 
  foreach (@stickyvars) {
  printf('<input type="hidden" name="%s" value="%s">', $_,
-    $input{$_})
+    htmlquote($input{$_}))
     if (defined($input{$_})
     && ((!defined($DEFAULTVALUE{$_})
     || $input{$_} ne $DEFAULTVALUE{$_}) && $input{$_} ne ""));
@@ -3267,7 +3267,7 @@
  join ('', $scriptname,
  urlencode($wherepath),
  (!$last || $lastslash ? '/' : ''),
- $query,
+ htmlquote($query),
  (!$last || $lastslash ? "#dirlist" : "")
  ));
  } else {    # do not make a link to the current dir
@@ -3508,6 +3508,7 @@
  # Special Characters; RFC 1866
  s/&/&amp;/g;
  s/\"/&quot;/g;
+ s/%22/&quot;/g;
  s/</&lt;/g;
  s/>/&gt;/g;
 

<-----

Best Regards,
-peter

Reply | Threaded
Open this post in threaded view
|

Re: XSS vuln in cvsweb

Stuart Henderson
On 2019-03-15, Peter J. Philipp <[hidden email]> wrote:
> Hi all,
>
> I have been notified by a wonderful security researcher that my site was
> vulnerable to XSS attacks.  The first one was on software I wrote, and the
> second one was on software I got from OpenBSD ports.  Not sure if I should
> be writing this to the ports mailing list though.
>
> I have written Marc Espie with a patch that I produced for cvsweb, but
> haven't heard from him in 11 hours so I want to get this out to everyone.

Yes, it should go to the ports mailing list. Check the "maintainer" line
in "pkg_info cvsweb". I don't know why you would send it to espie@.


Reply | Threaded
Open this post in threaded view
|

Re: XSS vuln in cvsweb

Marc Espie-2
On Fri, Mar 15, 2019 at 12:16:06PM -0000, Stuart Henderson wrote:

> On 2019-03-15, Peter J. Philipp <[hidden email]> wrote:
> > Hi all,
> >
> > I have been notified by a wonderful security researcher that my site was
> > vulnerable to XSS attacks.  The first one was on software I wrote, and the
> > second one was on software I got from OpenBSD ports.  Not sure if I should
> > be writing this to the ports mailing list though.
> >
> > I have written Marc Espie with a patch that I produced for cvsweb, but
> > haven't heard from him in 11 hours so I want to get this out to everyone.
>
> Yes, it should go to the ports mailing list. Check the "maintainer" line
> in "pkg_info cvsweb". I don't know why you would send it to espie@.
>

Last person to have touched the Makefile.

You know, last time I did an infrastructure sweep...