• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: ViewCVS Multiple Information Disclosure Vulnerabilities

Severity: HIGH

Description:

ViewCVS is an application that allows users to browse CVS and Subversion repositories via the web. ViewCVS has the ability for remote users to retrieve portions of the version control repositories as tar archives.

ViewCVS is reported prone to multiple information disclosure vulnerabilities. These issues are reportedly triggered when repositories are exported as tar archives.

ViewCVS can be configured to only allow certain specific paths to be viewable via the web application. The vulnerable package has the 'forbidden', and the 'hide_cvsroot' configuration directives. The 'forbidden' configuration directive allows administrators to define a list of directories, or patterns of directories that may or may not be exported to the web. The 'hide_cvsroot' configuration directive allows administrators to allow or deny access to the CVS-specific 'CVSROOT' directory.

Reportedly, these configuration directives are not properly honored when creating tar archives for users to download. This allows remote attackers to gain access to potentially sensitive files located in restricted directories. The contents of these files may aid them in further attacks.

This issue is only exploitable if the package is configured to allow tar archive generation. This is enabled by setting the 'tar_archive' configuration directive to '1'.

Affected Products:

• Debian Linux 3.0.0
• Debian Linux 3.0.0 alpha
• Debian Linux 3.0.0 arm
• Debian Linux 3.0.0 hppa
• Debian Linux 3.0.0 ia-32
• Debian Linux 3.0.0 ia-64
• Debian Linux 3.0.0 m68k
• Debian Linux 3.0.0 mips
• Debian Linux 3.0.0 mipsel
• Debian Linux 3.0.0 ppc
• Debian Linux 3.0.0 s/390
• Debian Linux 3.0.0 sparc
• S.u.S.E. Linux Personal 9.0.0
• S.u.S.E. Linux Personal 9.0.0 x86_64
• S.u.S.E. Linux Personal 9.1.0
• S.u.S.E. Linux Personal 9.2.0
• ViewCVS ViewCVS 0.9.2

References:

• ViewCVS: ViewCVS Project Page

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.