ViewVC Directory Traversal Vulnerability in Standalone Server

A directory traversal vulnerability has been identified in ViewVC versions 1.1.0 through 1.1.31 and 1.2.0 through 1.2.3. The issue arises in the standalone.py script, which can be accessed remotely and anonymously. When the 'show_subdir_lastmod' option is enabled, the server can expose arbitrary filesystem content from directories outside the targeted CVS repository. This is achieved by crafting HTTP requests that exploit the directory traversal flaw, potentially revealing CVS repository data that is not explicitly configured for public viewing.

Impact

Exploitation of this vulnerability can lead to unauthorized exposure of directory names and structures from the host filesystem, particularly from directories readable by the ViewVC process. If the traversed directories contain CVS repositories, they may be served through the ViewVC interface, bypassing normal visibility controls.

Reproduction

To reproduce this vulnerability, upload a file with a crafted name, including directory traversal characters, into a public CVS repository. Ensure that the ViewVC 'show_subdir_lastmod' option is enabled. Then, access the parent directory through the ViewVC interface, which will relay the unescaped filename to the browser, demonstrating the directory traversal exploit.

Remediation

Users should upgrade ViewVC to version 1.2.4 or 1.1.31. Instructions for applying the patch manually are available on the ViewVC GitHub repository.