have you heard about it?

- (New) ViewCVS Cross Site Scripting -



"ViewCVS can browse directories, change logs, and specific revisions of files.
It can display diffs between versions and show selections of files based on
tags or branches. In addition, ViewCVS has "annotation" or "blame" support,
Bonsai-like query facilities, template-based page generation, and support for
individually configuring virtual hosts. (...) (...) ViewCVS has been developed by the ViewCVS Group and is made available under a
BSD-type license. (...)" (Quoted from: STATUS Vendor contacted on December 17, 2003.
DESCRIPTION From OWASP home page (Open Web SecurityApplication Project) I follow a link pointing to
Souceforge: Once there a bad request (something like:
showme the "suspicious" error page. Then a simple request like this:'OOPS')%3C/script%3E showme the problem. Ironically while looking for information on application security, I found an application security bug... ;-) No blames please, it's only a joke. There's a classical XSS problem on ViewCVS software. It has nothing to do with
bugtarq ID 4818 (, this is a new one. This time the XSS is present in the error page generated by "ViewCVSException" in
"" file. SOURCEFORGE.NET viewcvs_xss_sourceforge
In the screenshot we can see that bug is present in the last version of ViewCVS (viewcvs-1.0-dev),but probably it will be present also in previous versions. This flaw is not a major bug by itself. The problem is (as always in this kind of vulnerabilities) in the environment. ViewCVS main target installation are servers with developing software to keep tracking of software version, etc. Those servers are also primary targets for some kind of intruders. In some scenarios it could be possible http session hijacking.

The problem has been proved to be present in other major websites that are using this software: APACHE.ORG viewcvs_xss_apache IPTABLES.ORG viewcvs_xss_iptables


Hugo Vazquez Carames