This summer I was introduced to ReviewBoard, an excellent open-source web application which integrates with source control systems to facilitate code review.

Being the curious researcher that I am, I setup my own installation and set out evaluating it for common security issues.

In my examination of ReviewBoard, I started by creating a guest account using a cross-site scripting (XSS) locator string as the user’s name.  An XSS locator is a short piece of HTML which when rendered will trigger some JavaScript action such as an alert box.

I then proceeded to assign a review request to this user and as I was typing in the name, an alert box popped up letting me know that I had found vulnerability. Upon further investigation, I found that the user’s name was being unsafely rendered in the auto-complete box.

I promptly reported the issue to ReviewBoard and was pleasantly surprised by their response.  Not only did they express gratitude for bringing it to their attention but barely 24 hours later versions 1.6.17 and 1.7.10 were released. This issue was assigned CVE-2013-2209 and is detected by IP360.

A few weeks later I found myself with a few minutes to kill and decided to poke a little more at my ReviewBoard site.  As it turns out, the auto-complete widget was not the only place in the UI which would unsafely render the user’s name.

As I browsed through my site, I found that the user’s name is also rendered when viewing the list of submitters.

This issue is now tracked as CVE-2013-4795.  Encouraged by this finding, I decided to look at how file uploads are handled. – ReviewBoard allows users to upload and associate files with a review request.

The first thing I tried was to upload a file using an XSS locator as a filename similar to a WebSphere vulnerability which I helped IBM address in April 2013.

ReviewBoard handled this test case properly but in the process of testing, I uncovered a separate far more serious issue.  On my Apache server, I could attach PHP source code to a review request which would subsequently be executed by the server if a request was made to download the attachment.

The implications of this are grave since it enables users to execute code in the context of the web server.

Alternatively this issue, now tracked as CVE-2013-4796, has the implication that a malicious user can upload HTML/JavaScript content to the ReviewBoard site for the purpose of launching client-side attacks in the context of the ReviewBoard domain.

ReviewBoard has now released versions 1.6.18 and 1.7.12 to address CVE-2013-4795 but it is important to note that the more critical issue, CVE-2013-4796 is not resolved by upgrading a ReviewBoard site to the latest version.

Although sites created with the latest versions are configured to mitigate the risk, the upgrade process does not harden the configuration for existing sites.

In this case it is advised that users follow the newly released ReviewBoard configuration guide available here:

 

Related Articles:

P.S. Have you met John Powers, supernatural CISO?

 

Title image courtesy of ShutterStock

Categories:

Tags: , , , , , ,


Craig Young

Craig Young has contributed 26 posts to The State of Security.

View all posts by Craig Young >