ViewCVS Restricted Directory Access Security Bypass

2004-12-06T09:11:34
ID OSVDB:12235
Type osvdb
Reporter Hajvan Sehic(hajvan@hajvan.net)
Modified 2004-12-06T09:11:34

Description

Vulnerability Description

ViewCVS contains a flaw that may lead to unauthorized information disclosure. The issue is triggered when exporting a repository as a tar archive, which will not honor the hide_cvsroot and forbidden settings information, resulting in a loss of confidentiality.

Solution Description

Upgrade to version 0.9.2-4woody1 if running the stable distribution of Debian, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

ViewCVS contains a flaw that may lead to unauthorized information disclosure. The issue is triggered when exporting a repository as a tar archive, which will not honor the hide_cvsroot and forbidden settings information, resulting in a loss of confidentiality.

References:

Vendor URL: http://viewcvs.sourceforge.net/ Security Tracker: 1012431 Secunia Advisory ID:13380 Secunia Advisory ID:13375 Secunia Advisory ID:13683 Other Advisory URL: http://www.debian.org/security/2004/dsa-605 Other Advisory URL: http://security.gentoo.org/glsa/glsa-200412-26.xml CVE-2004-0915