Info

Disclosure

Dec 06, 2004

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

ViewCVS contains a flaw that may lead to unauthorized information disclosure. The issue is triggered when exporting a repository as a tar archive, which will not honor the hide_cvsroot and forbidden settings information, resulting in a loss of confidentiality.

Classification

Location: Remote/Network Access Required
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Unavailable
Disclosure: OSVDB Verified

Solution

Upgrade to version 0.9.2-4woody1 if running the stable distribution of Debian, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

ViewCVS

0.9.2

References

Security Tracker: 1012431
Secunia Advisory ID: 13375 13380 13683
CVE ID: 2004-0915 (see also: NVD)
Other Advisory URL: http://security.gentoo.org/glsa/glsa-200412-26.xml
http://www.debian.org/security/2004/dsa-605
Vendor URL: http://viewcvs.sourceforge.net/

Credit

Hajvan Sehic - hajvanhajvan.net -

Direct URL: http://osvdb.org/36218