|
|
|
|
| |
ViewVC is "a browser interface for CVS and Subversion version control repositories. It generates templatized HTML to present navigable directory, revision, and change log listings. It can display specific versions of files as well as diffs between those versions. Basically, ViewVC provides the bulk of the report-like functionality you expect out of your version control tool, but much more prettily than the average textual command-line program output".
It was discovered that ViewVC is neither sending a charset HTTP header nor specifying a charset in the HTML body. Therefore it is possible to trick several browsers into decoding ViewVC pages UTF-7. This allows attackers to inject arbitrary UTF-7 encoded Java-Script code into the output.
Please note that these UTF-7 attacks against sites with missing charset definitions are also exploitable in the Mozilla browser family (seamonkey, firefox, ...). Advisories from different parties that describe similar vulnerabilities usually claim that only Internet Explorer with activated auto-detection is vulnerable. In reality the mozilla browser family is even more affected, because you can attack them no matter if charset auto-detection is turned on or off. |
| |
Credit:
The information has been provided by Stefan Esser.
The original article can be found at: http://www.hardened-php.net/advisory_102006.134.html
|
| |
Vulnerable Systems:
* ViewVC version 1.0.2 and prior
Immune Systems:
* ViewVC version 1.0.3 or newer
Disclosure Timeline:
07. October 2006 - Notified ViewVC developers
13. October 2006 - ViewVC developers release 1.0.3
15. October 2006 - Public Disclosure
Recommendation:
It is strongly recommended to upgrade to the newest version of ViewVC 1.0.3 which you can download at: http://viewvc.tigris.org/servlets/ProjectDocumentList?folderID=6004
|
|
|
|
|
