Vulnerabilities > CVE-2009-3619 - Unspecified vulnerability in Viewvc
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN viewvc
nessus
Summary
Unspecified vulnerability in ViewVC 1.0 before 1.0.9 and 1.1 before 1.1.2 has unknown impact and remote attack vectors related to "printing illegal parameter names and values."
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 10 |
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_VIEWVC-6578.NASL description Update of viewvc to version 1.0.9 fixes a cross-site scripting (XSS) problem and enhances filtering of illegal characters when displaying error messages (CVE-2009-3618, CVE-2009-3619). last seen 2020-06-01 modified 2020-06-02 plugin id 42328 published 2009-10-30 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42328 title openSUSE 10 Security Update : viewvc (viewvc-6578) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update viewvc-6578. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(42328); script_version ("1.8"); script_cvs_date("Date: 2019/10/25 13:36:37"); script_cve_id("CVE-2009-3618", "CVE-2009-3619"); script_name(english:"openSUSE 10 Security Update : viewvc (viewvc-6578)"); script_summary(english:"Check for the viewvc-6578 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update of viewvc to version 1.0.9 fixes a cross-site scripting (XSS) problem and enhances filtering of illegal characters when displaying error messages (CVE-2009-3618, CVE-2009-3619)." ); script_set_attribute( attribute:"solution", value:"Update the affected viewvc package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_cwe_id(79); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:viewvc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:10.3"); script_set_attribute(attribute:"patch_publication_date", value:"2009/10/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/30"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE10\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "10.3", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE10.3", reference:"viewvc-1.0.9-0.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "viewvc"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2009-8501.NASL description CHANGES in 1.0.9: - security fix: validate the last seen 2020-06-01 modified 2020-06-02 plugin id 40581 published 2009-08-13 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40581 title Fedora 10 : viewvc-1.0.9-1.fc10 (2009-8501) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-8501. # include("compat.inc"); if (description) { script_id(40581); script_version ("1.10"); script_cvs_date("Date: 2019/08/02 13:32:30"); script_cve_id("CVE-2009-3618", "CVE-2009-3619"); script_xref(name:"FEDORA", value:"2009-8501"); script_name(english:"Fedora 10 : viewvc-1.0.9-1.fc10 (2009-8501)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "CHANGES in 1.0.9: - security fix: validate the 'view' parameter to avoid XSS attack - security fix: avoid printing illegal parameter names and values Also includes: Patch by Patrick Monnerat to make allow_tar work on F-10. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=513006" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-August/027827.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?19255a65" ); script_set_attribute( attribute:"solution", value:"Update the affected viewvc package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_cwe_id(79); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:viewvc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:10"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^10([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 10.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC10", reference:"viewvc-1.0.9-1.fc10")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "viewvc"); }
NASL family SuSE Local Security Checks NASL id SUSE_11_0_VIEWVC-091021.NASL description Update of viewvc to version 1.0.9 fixes a cross-site scripting (XSS) problem and enhances filtering of illegal characters when displaying error messages (CVE-2009-3618, CVE-2009-3619). last seen 2020-06-01 modified 2020-06-02 plugin id 42246 published 2009-10-26 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42246 title openSUSE Security Update : viewvc (viewvc-1420) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update viewvc-1420. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(42246); script_version("1.9"); script_cvs_date("Date: 2019/10/25 13:36:34"); script_cve_id("CVE-2009-3618", "CVE-2009-3619"); script_name(english:"openSUSE Security Update : viewvc (viewvc-1420)"); script_summary(english:"Check for the viewvc-1420 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update of viewvc to version 1.0.9 fixes a cross-site scripting (XSS) problem and enhances filtering of illegal characters when displaying error messages (CVE-2009-3618, CVE-2009-3619)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=537154" ); script_set_attribute( attribute:"solution", value:"Update the affected viewvc package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_cwe_id(79); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:viewvc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.0"); script_set_attribute(attribute:"patch_publication_date", value:"2009/10/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/10/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.0)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.0", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.0", reference:"viewvc-1.0.9-0.1") ) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "viewvc"); }
NASL family Fedora Local Security Checks NASL id FEDORA_2009-8507.NASL description CHANGES in 1.1.2: - security fix: validate the last seen 2020-06-01 modified 2020-06-02 plugin id 40582 published 2009-08-13 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/40582 title Fedora 11 : viewvc-1.1.2-2.fc11 (2009-8507) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2009-8507. # include("compat.inc"); if (description) { script_id(40582); script_version ("1.10"); script_cvs_date("Date: 2019/08/02 13:32:30"); script_cve_id("CVE-2009-3618", "CVE-2009-3619"); script_xref(name:"FEDORA", value:"2009-8507"); script_name(english:"Fedora 11 : viewvc-1.1.2-2.fc11 (2009-8507)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "CHANGES in 1.1.2: - security fix: validate the 'view' parameter to avoid XSS attack - security fix: avoid printing illegal parameter names and values - add optional support for character encoding detection (issue #400) - fix username case handling in svnauthz module (issue #419) - fix cvsdbadmin/svnadmin rebuild error on missing repos (issue #420) - don't drop leading blank lines from colorized file contents (issue #422) - add file.ezt template logic for optionally hiding binary file contents Also includes: Install and populate mimetypes.conf. This should hopefully help when colouring syntax using pygments. Install and populate mimetypes.conf. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=514773" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=514909" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=516958" ); # https://lists.fedoraproject.org/pipermail/package-announce/2009-August/027836.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?e7b4e9f2" ); script_set_attribute( attribute:"solution", value:"Update the affected viewvc package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N"); script_cwe_id(79); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:viewvc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:11"); script_set_attribute(attribute:"patch_publication_date", value:"2009/08/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2009/08/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2009-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^11([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 11.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC11", reference:"viewvc-1.1.2-2.fc11")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "viewvc"); }
NASL family SuSE Local Security Checks NASL id SUSE_11_1_VIEWVC-091020.NASL description Update of viewvc to version 1.0.9 fixes a cross-site scripting (XSS) problem and enhances filtering of illegal characters when displaying error messages (CVE-2009-3618, CVE-2009-3619). last seen 2020-06-01 modified 2020-06-02 plugin id 42249 published 2009-10-26 reporter This script is Copyright (C) 2009-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/42249 title openSUSE Security Update : viewvc (viewvc-1420)
References
- https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00566.html
- http://secunia.com/advisories/36292
- https://www.redhat.com/archives/fedora-package-announce/2009-August/msg00557.html
- http://www.vupen.com/english/advisories/2009/2257
- http://www.openwall.com/lists/oss-security/2009/10/16/10
- http://secunia.com/advisories/36311
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
- http://viewvc.tigris.org/source/browse/%2Acheckout%2A/viewvc/tags/1.1.2/CHANGES?revision=2235&pathrev=HEAD