[CVE-2020-17364] USVN stored XSS
User-Friendly USVN is a web interface written in PHP used to configure Subversion repositories. We found a stored XSS vulnerability inside the commit module, that could allow an attacker to execute JavaScript into the client application and take over user web browsers.Description
User-Friendly USVN is a web interface written in PHP used to configure Subversion repositories.
We found a stored XSS vulnerability inside the commit module, that could allow an attacker to execute JavaScript into the client application and take over user web browsers.
Threat
In case where an attacker had access to a USVN repository, he would be able to remotely inject malicious web pages (including JavaScript code) and, for example, steal session cookies or redirect victims’ browsers to phishing websites.
Expectation
User inputs have to be controlled and sanitized before being used by the application.
Vulnerability records
CVE ID: CVE-2020-17364
Access Vector: Network
Security Risk: High
Vulnerability: CWE-79
CVSS Base Score: 7.4
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Details
With access to a SVN repository, an attacker could push into it a malicious web page with JavaScript code:
$ svn checkout http://127.0.0.1:8090/svn/a --username mickael
$ cd a/trunk
$ echo "<html><body><script>alert(document.cookie)</script>" > xss.html
$ svn add xss.html
$ svn commit -m "adding xss.html"
Subsequently, when an user accesses the commit in the web application (xss1.png) or visists directly the uploaded web page (xss2.png), the JavaScript code is executed:
Moreover, as the session cookie has not been protected by the httpOnly
flag, the attacker can use this stored XSS to steal the user session cookie to later impersonate him.
Affected versions
- USVN versions < 1.0.8
Solution
- Update to USVN >= 1.0.9
- Update to commit : a2c315a75a518ba57d385dc3a56866541ec06faf (https://github.com/usvn/usvn/pull/59/commits/a2c315a75a518ba57d385dc3a56866541ec06faf)
Timeline
- 2020-05-07 Initial discovery.
- 2020-05-13 Report to the USVN security team
- 2020-05-18 USVN acknowledgement stating that the report is under review.
- 2020-05-18 XSS fix published (http://www.usvn.info/2020/05/20/usvn-1.0.9).
- 2020-08-12 Disclosure.
Credits
- Mickael Karatekin, Sysdream (m.karatekin-at-sysdream-dot-com)