Vulnerability Note VU#770816

CVSTrac fails to properly sanitize input passed to "filediff"

Overview

CVSTrac fails to check the validity of input passed to the "rcsinfo" parameter of "filediff." This allows execution of arbitrary commands on the server.

I. Description

CVSTrac is a web-based bug and patch set tracking system for use with CVS. CVSTrac 1.1.3 and earlier fail to properly sanitize input to the "rcsinfo" parameter of the "filediff" command. By passing specially crafted arguments to the "rcsinfo" parameter, a remote attacker can execute arbitrary commands on the server.

II. Impact

A remote authenticated user who has the permissions to check in CVS files can run arbitrary shell commands on the server with the privileges of the CVSTrac process. By default, anonymous users cannot access the vulnerable "filediff" method.

III. Solution

This issue is resolved in CVSTrac version 1.1.4 or see the "Systems Affected" section for vendor-specific resolutions.

Systems Affected

Vendor	Status	Date Notified	Date Updated
CVSTrac	Vulnerable	23-Aug-2004
OpenPKG	Vulnerable	16-Aug-2004

References

http://www.securityfocus.com/bid/10878
http://secunia.com/advisories/12090/
http://www.cvstrac.org/cvstrac/tktview?tn=339
http://www.cvstrac.org/cvstrac/chngview?cn=316
http://securitytracker.com/alerts/2004/Aug/1010880.html
http://securitytracker.com/alerts/2004/Aug/1010892.html
http://www.osvdb.org/8373
http://xforce.iss.net/xforce/xfdb/16929

Credit

Thanks to Richard Ngo for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public:	2004-08-09
Date First Published:	2004-08-23
Date Last Updated:	2004-08-23
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric:	16.87
Document Revision:	10

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Get Adobe Reader