Hi, I have have created a patch for cvsweb port that needs review and help in getting it into the port itself. I'd like to apologize to Marc Espie for contacting him regarding this port based on his last check-in on this port, and thanks to Stuart Henderson for directing me here.
The patch changed since my last submission to misc@ and since I am a complete newbie in perl this would need a pro to look at it whether it's correct. I have produced the patch with 'diff -u cvsweb.orig cvsweb' directly in the /var/www/cgi-bin directory. Credit goes to Ezio Paglia for finding this XSS vuln. Also the cvsweb at openbsd.org is affected and can be checked with: https://cvsweb.openbsd.org/src/sbin/clri/clri.c?f=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E in chrome the XSS check activates immediately, I don't know what firefox does. Patch after end of signature and forwarded message: -peter ----- Forwarded message from Stuart Henderson <[email protected]> ----- Date: Fri, 15 Mar 2019 12:16:06 -0000 (UTC) From: Stuart Henderson <[email protected]> To: [email protected] Subject: Re: XSS vuln in cvsweb User-Agent: slrn/1.0.2 (OpenBSD) On 2019-03-15, Peter J. Philipp <[email protected]> wrote: > Hi all, > > I have been notified by a wonderful security researcher that my site was > vulnerable to XSS attacks. The first one was on software I wrote, and the > second one was on software I got from OpenBSD ports. Not sure if I should > be writing this to the ports mailing list though. > > I have written Marc Espie with a patch that I produced for cvsweb, but > haven't heard from him in 11 hours so I want to get this out to everyone. Yes, it should go to the ports mailing list. Check the "maintainer" line in "pkg_info cvsweb". I don't know why you would send it to espie@. ----- End forwarded message ----- --- cvsweb.orig Thu Mar 14 18:30:06 2019 +++ cvsweb Fri Mar 15 10:23:05 2019 @@ -998,8 +998,9 @@ if (scalar %tags || $input{only_with_tag}) { print "<form method=\"get\" action=\"./\">\n"; foreach my $var (@stickyvars) { + my $tmpvar = htmlquote($input{$var}); print - "<input type=\"hidden\" name=\"$var\" value=\"$input{$var}\">\n" + "<input type=\"hidden\" name=\"$var\" value=\"$tmpvar\">\n" if (defined($input{$var}) && (!defined($DEFAULTVALUE{$var}) || $input{$var} ne $DEFAULTVALUE{$var}) @@ -2612,7 +2613,7 @@ sprintf( '%s/%s?annotate=%s%s', $scriptname, urlencode($where), $_, - $barequery + htmlquote($barequery) ) ); } @@ -2625,7 +2626,7 @@ '[select for diffs]', sprintf( '%s?r1=%s%s', $scriptwhere, - $_, $barequery + $_, htmlquote($barequery) ) ); } else { @@ -2828,7 +2829,7 @@ foreach (@stickyvars) { printf('<input type="hidden" name="%s" value="%s">', $_, - $input{$_}) + htmlquote($input{$_})) if (defined($input{$_}) && ((!defined($DEFAULTVALUE{$_}) || $input{$_} ne $DEFAULTVALUE{$_}) && $input{$_} ne "")); @@ -3267,7 +3268,7 @@ join ('', $scriptname, urlencode($wherepath), (!$last || $lastslash ? '/' : ''), - $query, + htmlquote($query), (!$last || $lastslash ? "#dirlist" : "") )); } else { # do not make a link to the current dir @@ -3508,6 +3509,7 @@ # Special Characters; RFC 1866 s/&/&/g; s/\"/"/g; + s/%22/"/g; s/</</g; s/>/>/g;
