| Anonymous | Login | Signup for a new account | 06-10-2026 07:23 PDT |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Advanced Details [ Jump to Notes ] | [ View Simple ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0004794 | [Resin] | minor | always | 10-12-11 08:35 | 06-20-12 11:07 | ||||
| Reporter | cowan | View Status | public | ||||||
| Assigned To | ferg | ||||||||
| Priority | high | Resolution | not fixable | Platform | |||||
| Status | closed | OS | |||||||
| Projection | none | OS Version | |||||||
| ETA | none | Fixed in Version | Product Version | 4.0.24 | |||||
| Product Build | |||||||||
| Summary | 0004794: getRequestURI is URL decoded using mod_caucho | ||||||||
| Description |
sample.war attached [Access URL (use Resin web server)] http://192.168.108.38:8080/sample/test/%22%3EXSS%3C/A%3E%3Cscript%3Ealert('XSS')%3C/script%3E [^] [Result] getRequestURL: http://192.168.108.38:8080/sample/test/%22%3EXSS%3C/A%3E%3Cscript%3Ealert('XSS')%3C/script%3E [^] getRequestURI: /sample/test/%22%3EXSS%3C/A%3E%3Cscript%3Ealert('XSS')%3C/script%3E [Access URL (use Apache2.2)] http://192.168.108.38/sample/test/%22%3EXSS%3C/A%3E%3Cscript%3Ealert('XSS')%3C/script%3E [^] [Result] getRequestURL: http://192.168.108.38/sample/test/">XSS</A><script>alert('XSS')</script> [^] getRequestURI: /sample/test/">XSS</A><script>alert('XSS')</script> |
||||||||
| Steps To Reproduce | |||||||||
| Additional Information |
Rep by N. SHINOMIYA |
||||||||
| Attached Files | |||||||||
|
|
|||||||||
 Relationships |
|
|
Notes |
|
|
(0005558) cowan 10-12-11 08:38 |
I verified this on Resin 4.0.24 with Apache 2.2.17. I can confirm the URI read by com.caucho.server.hmux.HmuxRequest HMUX_URI is URL decoded. I'm not sure if mod_caucho is decoding it or Apache. |
|
(0005559) cowan 10-12-11 08:38 |
Customer will need fixed in Resin 3.1 |
|
(0005560) ferg 10-12-11 11:05 |
It's Apache doing the decoding. It's not clear that this is a Resin bug, nor that it will be fixed in Resin 3.1. |
|
(0005896) ferg 06-20-12 11:07 |
See comments in mod_caucho.c. mod_caucho cannot pass along the unparsed_uri because of mod_rewrite. mod_rewrite changes the parsed uri and mod_caucho needs to pass along the post-rewrite uri. Since mod_caucho cannot tell if mod_rewrite is used for a request, it has to assume that it is being used. So, it has no choice but to send along the parsed (and possibly rewritten) uri. |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 10-12-11 08:35 | cowan | New Issue | |
| 10-12-11 08:38 | cowan | Note Added: 0005558 | |
| 10-12-11 08:38 | cowan | Note Added: 0005559 | |
| 10-12-11 11:05 | ferg | Note Added: 0005560 | |
| 06-20-12 11:07 | ferg | Note Added: 0005896 | |
| 06-20-12 11:07 | ferg | Assigned To | => ferg |
| 06-20-12 11:07 | ferg | Status | new => closed |
| 06-20-12 11:07 | ferg | Resolution | open => not fixable |
| Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
35 total queries executed. 29 unique queries executed. |  |
