Lucene search
K

ViewGit 0.0.6 - Multiple XSS Vulnerabilities

🗓️ 19 Mar 2013 00:00:00Reported by MatthewType 
zdt
 zdt
🔗 0day.today👁 42 Views

ViewGit web interface allows multiple XSS vulnerabilities that could lead to account compromise and bypass of cross site request forgery mitigation

Related
Code
ReporterTitlePublishedViews
Family
CVE
CVE-2013-2294
30 Jan 202020:29
cve
Cvelist
CVE-2013-2294
30 Jan 202020:29
cvelist
Exploit DB
ViewGit 0.0.6 - Multiple Cross-Site Scripting Vulnerabilities
19 Mar 201300:00
exploitdb
EUVD
EUVD-2013-2240
7 Oct 202500:30
euvd
exploitpack
ViewGit 0.0.6 - Multiple Cross-Site Scripting Vulnerabilities
19 Mar 201300:00
exploitpack
NVD
CVE-2013-2294
30 Jan 202021:15
nvd
Packet Storm
ViewGit 0.0.6 Cross Site Scripting
19 Mar 201300:00
packetstorm
Prion
Cross site scripting
30 Jan 202021:15
prion
seebug.org
ViewGit 0.0.6 - Multiple XSS Vulnerabilities
1 Jul 201400:00
seebug
Impact:
-------
Users viewing the ViewGit web interface could be exposed to arbitrary
HTML source authored by an attacker, including malicious Flash or Java
objects, remotely sourced iFrame tags, malicious JavaScript, or other
content, that would be associated with the trust zone of the ViewGit web
interface. This could result in bypass of cross site request forgery
mitigation, account compromise, drive by download attacks or other
impacts. For more information about the potential impacts of client side
attacks see the BeEF Project at http://beefproject.com/.
 
Mitigating factors: 
-------------------
In order to inject arbitrary script, attackers must have the ability to
manipulate the git repository. Specifically, the attacker must be able
to create branches or tags.
 
Proof of Concept Exploit:
-------------------------
Javascript commands, the most simple being
<script>alert("XSS")</script>, can be used as the name for either a tag
or branch in any given repository and subsequently executed by pulling
them up in ViewGit's web interface. Tag names will be executed when
viewing the "Shortlog" table, and branch names will be executed when
viewing the "Shortlog" or "Heads" tables.
 
Steps to Reproduce:
-------------------
There are two different avenues of attack, so here are two different
ways to reproduce the attack:
 
Branch name exploit:
1. Create a git repository and initialize it with "git init".
2. Add this repository to ViewGit by editing its localconfig.php file
and adding it to the 'projects' array.
3. Now, add a file to the repository and commit it with the commands
"git add fileName" and "git commit"
4. Add a branch via the command "git branch '<script>alert("XSS")</script>'"
5. Navigate to viewgit/?a=summary&p=X where X is the name of the
repository you set up.
6. Observe the Javascript pop-up.
7. Note that this same pop-up will appear when navigating to
viewgit/?a=shortlog&p=X, where X is the name of the repository you set
up, for the same reason because both pages use the same "Shortlog"
table. Thus both problems are also fixed by the same patch.
 
Tag name exploit:
1. Create a git repository and initialize it with "git init".
2. Add this repository to ViewGit by editing its localconfig.php file
and adding it to the 'projects' array.
3. Now, add a file to the repository and commit it with the commands
"git add fileName" and "git commit"
4. Add a tag via the command "git tag -a '<script>alert("XSS")</script>'
-m "Message""
5. Navigate to viewgit/?a=summary&p=X where X is the name of the
repository you set up.
6. Observe the Javascript pop-up.
7. Note that this same pop-up will appear when navigating to
viewgit/?a=shortlog&p=X, where X is the name of the repository you set
up, for the same reason because both pages use the same "Shortlog"
table. Thus both problems are also fixed by the same patch.
 
Vendor Response:
----------------
Vendor has been alerted to this vulnerability and has applied the
suggested patches to ViewGit version 0.0.7

#  0day.today [2018-01-05]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation