Reflected XSS in CVSweb 2.x

Description

CVSweb 2.x is vulnerable to a reflected XSS attack in the cvsroot parameter due to improper input sanitization (CWE-79). Example exploit:

/cgi-bin/cvsweb/?cvsroot=%22%3E%3Cscript%3Ealert(1)%3C/script%3E&only_with_tag=MAIN

The OpenBSD website has an installation of CVSweb available. Proof of concept..

Mitigation

The CVSweb project is no longer maintained, according to the official website:

Please note that CVSweb is no longer maintained, and is no longer in use within the FreeBSD Project. There may be unpatched security issues with the code available on this page. The information and files available here are retained for historical interest only; we can not recommend anybody use the code available here without an understanding that any security issues discovered will not be fixed.

As such, no attempt was made to contact the maintainer for a fix. The issue is fixed by other changes in the 3.x branch of CVSweb. While CVSweb 2.x is old, it is still in use today and available as a package for many Linux/BSD distributions.