-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi!
*************************************************************************
Short version for the busy ones:
o Security issue on ViewCVS 0.9.4
o Not really exploitable unless malicious users have CVS write access
AND victim visits pre-crafted URL
*************************************************************************
ViewCVS 0.9.4
http://viewvc.tigris.org/servlets/ProjectDocumentList?folderID=6005
is no longer under development, has been abandoned in favor of ViewVC
(http://viewvc.org/) and should probably no longer be used in production
environments. Unfortunately this script _is_ still widely used, so I
think it's still worth telling about this otherwise not really important
finding.
The issue is one which can hardly be practially exploited (thus this
short and boring 'advisory' and no prior notice to the previous
developers). The source of the problem is that ViewCVS allows users to
specify the content type which the server generated HTTP response will
be sent with.
This was previously considered a HTTP response splitting vulnerability
by Jose Antonio Coret (Joxean Koret)
http://lists.grok.org.uk/pipermail/full-disclosure/2005-January/030514.html
(BID 12112, couldn't find a CVE, AFAICT it is _not_ CAN-2004-1062)
and, according to him, a patch has been stored on the 1.0-dev CVS
branch. The 0.9.4 release on viewvc.tigris.org seems to be unpatched and
it's possible that some Linux distributions and whoever would normally
care were never patched against this.
However, it is actually more than the response splitting issue. For an
example, please compare what your web browser displays on these locations:
http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/peach/anno_proto/html/bymap/test00.htm?rev=1.9&content-type=text/vnd.viewcvs-markup
http://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/peach/anno_proto/html/bymap/test00.htm?rev=1.9&content-type=text/html
The two obviously look somewhat differently, and on the second location
you can see (assuming you have Javascript activated globally) that a
request is made to Google (from within the security context of
cvs.sourceforge.jp).
This means that ViewCVS and thus the domain it runs in is vulnerable to
Cross Site Scripting, assuming that someone not fully trustable has
write permissions on one of the CVS repositories ViewCVS grants access
to here.
But XSS is just one possibility. This should also work for delivering
VML exploits and other funny stuff, such as ... when some victim uses a
funny web browser (such as Internet Explorer 5.5/6/7) and some attacker
stores files such as this
http://moritz-naumann.com/tests/xss2.jpg
in a CVS repository and makes the victim access it with with
'&content-type=image/jpeg' appended to the ViewCVS URL.
However, all of the above requires that some admin messes around with
CVS write access on the server ViewCVS grants read access to and gave
access to someone with bad intentions or no clue. Of course, both of
this could easily happen on web sites such as Sourceforge (who, however,
introduced separate subdomains for user authentication and web based
access to CVS), or sites which use CVS in the way a version controlled
wiki is used and allow public write access.
I suggest that Linux distributions should patch this issue short term
and deprecate support for ViewCVS mid to long term.
Web application developer lessons learnt (once again):
1. Explicitly limit your application to the functionality you want and
need it to have.
2. More precisely, do not use user generated data provided in HTTP
requests to specify content types of HTTP responses unless you are using
a whitelisting approach.
Thanks for reading, have a fine day.
Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFF41Hln6GkvSd/BgwRAgWSAJ47KZFCVAdzLMURunMFZWrKz7AbFACdHxo7
LTzzddXx7obLmXGsot4d1ug=
=T0XX
-----END PGP SIGNATURE-----
{"id": "SECURITYVULNS:DOC:16195", "bulletinFamily": "software", "title": "ViewCVS 0.9.4 issues", "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nHi!\r\n\r\n*************************************************************************\r\n Short version for the busy ones:\r\n o Security issue on ViewCVS 0.9.4\r\n o Not really exploitable unless malicious users have CVS write access\r\n AND victim visits pre-crafted URL\r\n*************************************************************************\r\n\r\nViewCVS 0.9.4\r\nhttp://viewvc.tigris.org/servlets/ProjectDocumentList?folderID=6005\r\nis no longer under development, has been abandoned in favor of ViewVC\r\n(http://viewvc.org/) and should probably no longer be used in production\r\nenvironments. Unfortunately this script _is_ still widely used, so I\r\nthink it's still worth telling about this otherwise not really important\r\nfinding.\r\n\r\nThe issue is one which can hardly be practially exploited (thus this\r\nshort and boring 'advisory' and no prior notice to the previous\r\ndevelopers). The source of the problem is that ViewCVS allows users to\r\nspecify the content type which the server generated HTTP response will\r\nbe sent with.\r\n\r\nThis was previously considered a HTTP response splitting vulnerability\r\nby Jose Antonio Coret (Joxean Koret)\r\nhttp://lists.grok.org.uk/pipermail/full-disclosure/2005-January/030514.html\r\n(BID 12112, couldn't find a CVE, AFAICT it is _not_ CAN-2004-1062)\r\nand, according to him, a patch has been stored on the 1.0-dev CVS\r\nbranch. The 0.9.4 release on viewvc.tigris.org seems to be unpatched and\r\nit's possible that some Linux distributions and whoever would normally\r\ncare were never patched against this.\r\n\r\nHowever, it is actually more than the response splitting issue. For an\r\nexample, please compare what your web browser displays on these locations:\r\nhttp://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/peach/anno_proto/html/bymap/test00.htm?rev=1.9&content-type=text/vnd.viewcvs-markup\r\nhttp://cvs.sourceforge.jp/cgi-bin/viewcvs.cgi/peach/anno_proto/html/bymap/test00.htm?rev=1.9&content-type=text/html\r\n\r\nThe two obviously look somewhat differently, and on the second location\r\nyou can see (assuming you have Javascript activated globally) that a\r\nrequest is made to Google (from within the security context of\r\ncvs.sourceforge.jp).\r\n\r\nThis means that ViewCVS and thus the domain it runs in is vulnerable to\r\nCross Site Scripting, assuming that someone not fully trustable has\r\nwrite permissions on one of the CVS repositories ViewCVS grants access\r\nto here.\r\n\r\nBut XSS is just one possibility. This should also work for delivering\r\nVML exploits and other funny stuff, such as ... when some victim uses a\r\nfunny web browser (such as Internet Explorer 5.5/6/7) and some attacker\r\nstores files such as this\r\nhttp://moritz-naumann.com/tests/xss2.jpg\r\nin a CVS repository and makes the victim access it with with\r\n'&content-type=image/jpeg' appended to the ViewCVS URL.\r\n\r\nHowever, all of the above requires that some admin messes around with\r\nCVS write access on the server ViewCVS grants read access to and gave\r\naccess to someone with bad intentions or no clue. Of course, both of\r\nthis could easily happen on web sites such as Sourceforge (who, however,\r\nintroduced separate subdomains for user authentication and web based\r\naccess to CVS), or sites which use CVS in the way a version controlled\r\nwiki is used and allow public write access.\r\n\r\nI suggest that Linux distributions should patch this issue short term\r\nand deprecate support for ViewCVS mid to long term.\r\n\r\nWeb application developer lessons learnt (once again):\r\n1. Explicitly limit your application to the functionality you want and\r\nneed it to have.\r\n2. More precisely, do not use user generated data provided in HTTP\r\nrequests to specify content types of HTTP responses unless you are using\r\na whitelisting approach.\r\n\r\nThanks for reading, have a fine day.\r\n\r\nMoritz\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.6 (GNU/Linux)\r\n\r\niD8DBQFF41Hln6GkvSd/BgwRAgWSAJ47KZFCVAdzLMURunMFZWrKz7AbFACdHxo7\r\nLTzzddXx7obLmXGsot4d1ug=\r\n=T0XX\r\n-----END PGP SIGNATURE-----", "published": "2007-02-27T00:00:00", "modified": "2007-02-27T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:16195", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2004-1062"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:21", "edition": 1, "viewCount": 18, "enchantments": {"score": {"value": -0.6, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-1062", "CVE-2005-4831"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2005-4831"]}, {"type": "gentoo", "idList": ["GLSA-200412-26"]}, {"type": "nessus", "idList": ["2446.PRM", "2478.PRM", "GENTOO_GLSA-200412-26.NASL", "VIEWCVS_HTTP_RESPONSE_SPLITTING.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:54785"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7479"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2004-1062"]}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2004-1062"]}, {"type": "gentoo", "idList": ["GLSA-200412-26"]}, {"type": "nessus", "idList": ["VIEWCVS_HTTP_RESPONSE_SPLITTING.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:7308"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2004-1062"]}]}, "exploitation": null, "vulnersScore": -0.6}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659923856, "score": 1659912920}, "_internal": {"score_hash": "1c5fb8669990b5ed18ce920a06447564"}}
{"ubuntucve": [{"lastseen": "2022-08-04T14:50:01", "description": "Multiple cross-site scripting (XSS) vulnerabilities in ViewCVS 0.9.2 allow\nremote attackers to inject arbitrary HTML and web script via certain error\nmessages.", "cvss3": {}, "published": "2004-12-28T00:00:00", "type": "ubuntucve", "title": "CVE-2004-1062", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-1062"], "modified": "2004-12-28T00:00:00", "id": "UB:CVE-2004-1062", "href": "https://ubuntu.com/security/CVE-2004-1062", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "cve": [{"lastseen": "2022-03-23T11:50:40", "description": "Multiple cross-site scripting (XSS) vulnerabilities in ViewCVS 0.9.2 allow remote attackers to inject arbitrary HTML and web script via certain error messages.", "cvss3": {}, "published": "2004-12-28T05:00:00", "type": "cve", "title": "CVE-2004-1062", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-1062"], "modified": "2017-07-11T01:30:00", "cpe": ["cpe:/a:viewcvs:viewcvs:0.9.2"], "id": "CVE-2004-1062", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1062", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:viewcvs:viewcvs:0.9.2:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:59:59", "description": "viewcvs in ViewCVS 0.9.2 allows remote attackers to set the Content-Type header to arbitrary values via the content-type parameter, which can be leveraged for cross-site scripting (XSS) and other attacks, as demonstrated using (1) \"text/html\", or (2) \"image/jpeg\" with an image that is rendered as HTML by Internet Explorer, a different vulnerability than CVE-2004-1062. NOTE: it was later reported that 0.9.4 is also affected.", "cvss3": {}, "published": "2005-12-31T05:00:00", "type": "cve", "title": "CVE-2005-4831", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-1062", "CVE-2005-4831"], "modified": "2018-10-19T15:41:00", "cpe": ["cpe:/a:viewcvs:viewcvs:0.9.2"], "id": "CVE-2005-4831", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4831", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:viewcvs:viewcvs:0.9.2:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-08-19T13:18:18", "description": "The remote host is affected by the vulnerability described in GLSA-200412-26 (ViewCVS: Information leak and XSS vulnerabilities)\n\n The tar export functions in ViewCVS bypass the 'hide_cvsroot' and 'forbidden' settings and therefore expose information that should be kept secret (CAN-2004-0915). Furthermore, some error messages in ViewCVS do not filter user-provided information, making it vulnerable to a cross-site scripting attack (CAN-2004-1062).\n Impact :\n\n By using the tar export functions, a remote attacker could access information that is configured as restricted. Through the use of a malicious request, an attacker could also inject and execute malicious script code, potentially compromising another user's browser.\n Workaround :\n\n There is no known workaround at this time.", "cvss3": {"score": null, "vector": null}, "published": "2004-12-28T00:00:00", "type": "nessus", "title": "GLSA-200412-26 : ViewCVS: Information leak and XSS vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-0915", "CVE-2004-1062"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:gentoo:linux:viewcvs", "cpe:/o:gentoo:linux"], "id": "GENTOO_GLSA-200412-26.NASL", "href": "https://www.tenable.com/plugins/nessus/16068", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 200412-26.\n#\n# The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(16068);\n script_version(\"1.18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2004-0915\", \"CVE-2004-1062\");\n script_bugtraq_id(12112);\n script_xref(name:\"GLSA\", value:\"200412-26\");\n\n script_name(english:\"GLSA-200412-26 : ViewCVS: Information leak and XSS vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-200412-26\n(ViewCVS: Information leak and XSS vulnerabilities)\n\n The tar export functions in ViewCVS bypass the 'hide_cvsroot' and\n 'forbidden' settings and therefore expose information that should be\n kept secret (CAN-2004-0915). Furthermore, some error messages in\n ViewCVS do not filter user-provided information, making it vulnerable\n to a cross-site scripting attack (CAN-2004-1062).\n \nImpact :\n\n By using the tar export functions, a remote attacker could access\n information that is configured as restricted. Through the use of a\n malicious request, an attacker could also inject and execute malicious\n script code, potentially compromising another user's browser.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/200412-26\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All ViewCVS users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=www-apps/viewcvs-0.9.2_p20041207-r1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:viewcvs\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2004/12/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/12/28\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/12/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"www-apps/viewcvs\", unaffected:make_list(\"ge 0.9.2_p20041207-r1\"), vulnerable:make_list(\"le 0.9.2_p20041207\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ViewCVS\");\n}\n", "cvss": {"score": 5, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-08-19T13:18:17", "description": "The remote host is using the ViewCVS, a tool to browse CVS repositories.\nAccording to its version number, the remote version of this software is vulnerable to multiple unspecified vulnerabilities.", "cvss3": {"score": 7.3, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}, "published": "2004-12-06T00:00:00", "type": "nessus", "title": "ViewCVS < 1.0-dev Multiple Unspecified Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-1062", "CVE-2004-0915"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:viewcvs:viewcvs:*:*:*:*:*:*:*:*"], "id": "2446.PRM", "href": "https://www.tenable.com/plugins/nnm/2446", "sourceData": "Binary data 2446.prm", "cvss": {"score": 7.5, "vector": "CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-08-19T13:18:16", "description": "The remote host is running ViewCVS, a tool to browse CVS repositories over the web. There is a flaw in the remote ViewCVS server that may allow an attacker to steal the credentials of third-party users via an HTTP response splitting attack.", "cvss3": {"score": 8.1, "vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2004-12-28T00:00:00", "type": "nessus", "title": "ViewCVS < 1.0.0 HTTP Response Splitting", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-1062", "CVE-2005-4830", "CVE-2005-4831"], "modified": "2019-03-06T00:00:00", "cpe": ["cpe:2.3:a:viewcvs:viewcvs:*:*:*:*:*:*:*:*"], "id": "2478.PRM", "href": "https://www.tenable.com/plugins/nnm/2478", "sourceData": "Binary data 2478.prm", "cvss": {"score": 7.6, "vector": "CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-19T13:18:22", "description": "The remote host is running ViewCVS, a tool to browse CVS repositories over the web written in python. \n\nFlaws in the remote version of this website may allow an attacker to launch cross-site scripting and/or HTTP response-splitting attacks against the remote install.", "cvss3": {"score": null, "vector": null}, "published": "2004-12-28T00:00:00", "type": "nessus", "title": "ViewCVS < 1.0.0 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-1062", "CVE-2005-4830", "CVE-2005-4831"], "modified": "2021-01-19T00:00:00", "cpe": ["cpe:/a:viewcvs:viewcvs"], "id": "VIEWCVS_HTTP_RESPONSE_SPLITTING.NASL", "href": "https://www.tenable.com/plugins/nessus/16062", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif(description)\n{\n script_id(16062);\n script_version(\"1.25\");\n script_cve_id(\"CVE-2004-1062\", \"CVE-2005-4830\", \"CVE-2005-4831\");\n script_bugtraq_id(12112, 11819);\n\n script_name(english:\"ViewCVS < 1.0.0 Multiple Vulnerabilities\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by cross-site scripting issues.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running ViewCVS, a tool to browse CVS repositories\nover the web written in python. \n\nFlaws in the remote version of this website may allow an attacker to\nlaunch cross-site scripting and/or HTTP response-splitting attacks\nagainst the remote install.\" );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c3821f3f\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to ViewCVS 1.0.0 or newer.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2004/12/28\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2003/12/29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_set_attribute(attribute:\"cpe\", value:\"cpe:/a:viewcvs:viewcvs\");\nscript_end_attributes();\n\n script_summary(english:\"viewcvs flaw\");\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"CGI abuses\");\n script_dependencie(\"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_keys(\"www/PHP\");\n exit(0);\n}\n\n# Check starts here\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif( ! can_host_php(port:port) ) exit(0);\nforeach dir (make_list( cgi_dirs() ) ) \n{\n r = http_send_recv3(method:\"GET\", item:dir + \"/viewcvs.cgi/\", port:port);\n if (isnull(r)) exit(0);\n res = strcat(r[0], r[1], '\\r\\n', r[2]);\n if ( 'Powered by<br><a href=\"http://viewcvs.sourceforge.net/\">ViewCVS 0.' >< res )\n {\n\t security_warning(port);\n\t set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);\n\t exit(0);\n }\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2017-07-24T12:50:04", "description": "The remote host is missing updates announced in\nadvisory GLSA 200412-26.", "cvss3": {}, "published": "2008-09-24T00:00:00", "type": "openvas", "title": "Gentoo Security Advisory GLSA 200412-26 (ViewCVS)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2004-1062", "CVE-2004-0915"], "modified": "2017-07-07T00:00:00", "id": "OPENVAS:54785", "href": "http://plugins.openvas.org/nasl.php?oid=54785", "sourceData": "# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2008 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"ViewCVS is vulnerable to an information leak and to cross-site scripting\n(XSS) issues.\";\ntag_solution = \"All ViewCVS users should upgrade to the latest version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose\n'>=www-apps/viewcvs-0.9.2_p20041207-r1'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20200412-26\nhttp://bugs.gentoo.org/show_bug.cgi?id=72461\nhttp://bugs.gentoo.org/show_bug.cgi?id=73772\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 200412-26.\";\n\n \n\nif(description)\n{\n script_id(54785);\n script_version(\"$Revision: 6596 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 11:21:37 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-24 21:14:03 +0200 (Wed, 24 Sep 2008)\");\n script_cve_id(\"CVE-2004-0915\", \"CVE-2004-1062\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_name(\"Gentoo Security Advisory GLSA 200412-26 (ViewCVS)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"www-apps/viewcvs\", unaffected: make_list(\"ge 0.9.2_p20041207-r1\"), vulnerable: make_list(\"le 0.9.2_p20041207\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "gentoo": [{"lastseen": "2022-01-17T19:20:01", "description": "### Background\n\nViewCVS is a browser interface for viewing CVS and Subversion version control repositories through a web browser. \n\n### Description\n\nThe tar export functions in ViewCVS bypass the 'hide_cvsroot' and 'forbidden' settings and therefore expose information that should be kept secret (CAN-2004-0915). Furthermore, some error messages in ViewCVS do not filter user-provided information, making it vulnerable to a cross-site scripting attack (CAN-2004-1062). \n\n### Impact\n\nBy using the tar export functions, a remote attacker could access information that is configured as restricted. Through the use of a malicious request, an attacker could also inject and execute malicious script code, potentially compromising another user's browser. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll ViewCVS users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-apps/viewcvs-0.9.2_p20041207-r1\"", "cvss3": {}, "published": "2004-12-28T00:00:00", "type": "gentoo", "title": "ViewCVS: Information leak and XSS vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-0915", "CVE-2004-1062"], "modified": "2004-12-28T00:00:00", "id": "GLSA-200412-26", "href": "https://security.gentoo.org/glsa/200412-26", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "debiancve": [{"lastseen": "2022-07-04T06:02:50", "description": "viewcvs in ViewCVS 0.9.2 allows remote attackers to set the Content-Type header to arbitrary values via the content-type parameter, which can be leveraged for cross-site scripting (XSS) and other attacks, as demonstrated using (1) \"text/html\", or (2) \"image/jpeg\" with an image that is rendered as HTML by Internet Explorer, a different vulnerability than CVE-2004-1062. NOTE: it was later reported that 0.9.4 is also affected.", "cvss3": {}, "published": "2005-12-31T05:00:00", "type": "debiancve", "title": "CVE-2005-4831", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-1062", "CVE-2005-4831"], "modified": "2005-12-31T05:00:00", "id": "DEBIANCVE:CVE-2005-4831", "href": "https://security-tracker.debian.org/tracker/CVE-2005-4831", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "securityvulns": [{"lastseen": "2021-06-08T18:50:30", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2007-03-28T00:00:00", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2004-1062", "CVE-2007-1725", "CVE-2007-1729", "CVE-2007-1720", "CVE-2007-1721", "CVE-2005-4831", "CVE-2007-1516", "CVE-2007-1726"], "modified": "2007-03-28T00:00:00", "id": "SECURITYVULNS:VULN:7479", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7479", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}