Description

User-Friendly USVN is a web interface written in PHP used to configure Subversion repositories.

We found a stored XSS vulnerability inside the commit module, that could allow an attacker to execute JavaScript into the client application and take over user web browsers.

Threat

In case where an attacker had access to a USVN repository, he would be able to remotely inject malicious web pages (including JavaScript code) and, for example, steal session cookies or redirect victims' browsers to phishing websites.

Expectation

User inputs have to be controlled and sanitized before being used by the application.

Vulnerability records

CVE ID: CVE-2020-17364

Access Vector: Network

Security Risk: High

Vulnerability: CWE-79

CVSS Base Score: 7.4

CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N

Details

With access to a SVN repository, an attacker could push into it a malicious web page with JavaScript code:

$ svn checkout http://127.0.0.1:8090/svn/a --username mickael
$ cd a/trunk
$ echo "<html><body><script>alert(document.cookie)</script>" > xss.html
$ svn add xss.html
$ svn commit -m "adding xss.html"

Subsequently, when an user accesses the commit in the web application (xss1.png) or visists directly the uploaded web page (xss2.png), the JavaScript code is executed:

Access to the commit

Access to the uploaded file

Moreover, as the session cookie has not been protected by the httpOnly flag, the attacker can use this stored XSS to steal the user session cookie to later impersonate him.

Affected versions

  • USVN versions < 1.0.8

Solution

Timeline

  • 2020-05-07 Initial discovery.
  • 2020-05-13 Report to the USVN security team
  • 2020-05-18 USVN acknowledgement stating that the report is under review.
  • 2020-05-18 XSS fix published (http://www.usvn.info/2020/05/20/usvn-1.0.9).
  • 2020-08-12 Disclosure.

Credits

  • Mickael Karatekin, Sysdream (m.karatekin-at-sysdream-dot-com)