ViewVC Undefined Charset UTF-7 XSS Vulnerability

Credit: Stefan Esser
Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 6.8/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Happy Python Hackers Project -= Security Advisory =- Advisory: ViewVC Undefined Charset UTF-7 XSS Vulnerability Release Date: 2006/10/15 Last Modified: 2006/10/15 Author: Stefan Esser [sesser (at) hardened-php (dot) net [email concealed]] Application: ViewVC <= 1.0.2 Severity: A missing default charset definition allows XSS attacks against browsers interpreting UTF-7 (IE, mozilla family) Risk: Medium Vendor Status: Vendor released 1.0.3 which according to vendor fixes this vulnerability References: Description: Quote from "ViewVC is a browser interface for CVS and Subversion version control repositories. It generates templatized HTML to present navigable directory, revision, and change log listings. It can display specific versions of files as well as diffs between those versions. Basically, ViewVC provides the bulk of the report-like functionality you expect out of your version control tool, but much more prettily than the average textual command-line program output." It was discovered that ViewVC is neither sending a charset HTTP header nor specifying a charset in the HTML body. Therefore it is possible to trick several browsers into decoding ViewVC pages UTF-7. This allows attackers to inject arbitrary UTF-7 encoded Java-Script code into the output. Please note that these UTF-7 attacks against sites with missing charset definitions are also exploitable in the mozilla browser family (seamonkey, firefox, ...). Advisories from different parties that describe similar vulnerabilities usually claim that only Internet Explorer with activated auto-detection is vulnerable. In reality the mozilla browser family is even more affected, because you can attack them no matter if charset auto-detection is turned on or off. Proof of Concept: The Hardened-PHP Project is not going to release a proof of concept exploit to the general public. Disclosure Timeline: 07. October 2006 - Notified ViewVC developers 13. October 2006 - ViewVC developers release 1.0.3 15. October 2006 - Public Disclosure Recommendation: It is strongly recommended to upgrade to the newest version of ViewVC 1.0.3 which you can download at: GPG-Key: pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2006 Stefan Esser. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux) iD8DBQFFMlChRDkUzAqGSqERAv5fAJ0VZT36wYntwGoonHL2Q3GEeUKrCACgssem aVuWdWmQZL1mbqnIHt81fJ8= =cIE+ -----END PGP SIGNATURE-----

Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021,


Back to Top