[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CollabNet Subversion Edge Log Parser XSS/Code Injection Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: CollabNet Subversion Edge Log Parser XSS/Code Injection Vulnerability
From: sk <sk10_0@xxxxxxxxx>
Date: Tue, 21 Sep 2010 21:42:22 +0530 (IST)


CollabNet Subversion Edge Log Parser XSS/Code  Injection Vulnerability

Discovery Date: Sep 10, 2010
Risk:  Important
Description:

There is a Cross Site Script (XSS)  vulnerability that exists in CollabNet 
Subversion Edge 1.2 and prior  versions. This said vulnerability can be 
exploited by sending a crafted  request to the CollabNet Subversion. server. 
When an administrator tries  to view the log file then this XSS Code will get 
executed.

More  information on this can be found on the following pages:
hxxps://ctf.open.collab.net/sf/sfmain/do/go/artf5016?returnUrlKey=1284577592506


Patch  Information:
More information on the patch can be found in the  following page:
https://ctf.open.collab.net/sf/wiki/do/viewPage/projects.svnedge/wiki/Release_1.2.1


Discovered  by: Sumit Kumar Soni, Trend Micro
Email: ssummit@xxxxxxxxx
For  More info
http://voidroot.blogspot.com/2010/09/collabnet-subversion-edge-log-parser.html
http://threatinfo.trendmicro.com/vinfo/secadvisories/default6.asp?VName=CollabNet%20Subversion%20Edge%20Log%20Parser%20XSS/Code%20Injection%20Vulnerability


Regards
Sumit

Prev by Date: [USN-990-1] OpenSSL vulnerability
Next by Date: [ISecAuditors Security Advisories] Insecure Direct Object Reference in tuenti.com allow to read of any message user
Previous by thread: [USN-990-1] OpenSSL vulnerability
Next by thread: [ISecAuditors Security Advisories] Insecure Direct Object Reference in tuenti.com allow to read of any message user
Index(es):
- Date
- Thread