ViewVC Invalid Parameter Arbitrary HTML Injection

medium Nessus Plugin ID 42348

Synopsis

An application running on the remote web server has an HTML injection vulnerability.

Description

The version of ViewVC hosted on the remote host is vulnerable to a HTML injection attack. Requesting a URL with an invalid parameter name in the query string generates an error message that echoes back the parameter name. Any URLs included in the invalid parameter name become hyperlinks. A remote attacker could trick a user into requesting a malicious URL to facilitate a social engineering attempt.

According to some reports, there is also an unrelated cross-site scripting issue in this version of ViewVC, though Nessus has not checked for that.

Solution

Upgrade to ViewVC 1.0.9 or later.

See Also

http://www.nessus.org/u?846e7b9b

http://www.nessus.org/u?66b6cc34

Plugin Details

Severity: Medium

ID: 42348

File Name: viewvc_invalid_param_injection.nasl

Version: 1.18

Type: remote

Published: 11/3/2009

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/a:viewvc:viewvc

Required KB Items: www/viewvc

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Ease: No known exploits are available

Patch Publication Date: 8/11/2009

Vulnerability Publication Date: 7/6/2009

Reference Information

BID: 36035

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990