Mantis Bugtracker
  

Viewing Issue Advanced Details Jump to Notes ] View Simple ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0006184 [Resin] major always 09-11-18 00:59 09-13-18 14:07
Reporter marc82ch View Status public  
Assigned To
Priority normal Resolution fixed Platform
Status closed   OS
Projection none   OS Version
ETA none Fixed in Version 4.0.59 Product Version 4.0.55
  Product Build
Summary 0006184: Path-based XSS in redirects from FileServlet
Description When a request to a directory is made without a trailing slash, FileServlet redirects to the version WITH a trailing slash with a 301 redirect.

When the original URL contains some evil in the path or query string, this is output unescaped (HTML escape) to the response body of the 301 response like so: "The URL has moved <a href="+encUrl+"</a>", where encUrl is properly URL-encoded, but not HTML escaped, which leads to an XSS vulnerability.
Steps To Reproduce
Additional Information The relevant part of the FileServlet source code is:

res.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY);
res.setHeader("Location", encUrl);
res.setContentType("text/html; charset=utf-8");

PrintWriter out = res.getWriter();

out.println("The URL has moved <a href=\"" + encUrl + "\">here</a>");
Attached Files

- Relationships

- Notes
(0006853)
marc82ch
09-12-18 02:19

BTW: In HttpServletResponseImpl.sendRedirect, there's similar code, but there the HTML escaping is performed. However, I'm wondering why only " and < are escaped and not >. While this may suffice to foil XSS attacks, it seems incomplete. Is there a good reason for this behavior?
 
(0006854)
ferg
09-13-18 14:07

server/001w
 

- Issue History
Date Modified Username Field Change
09-11-18 00:59 marc82ch New Issue
09-12-18 02:19 marc82ch Note Added: 0006853
09-12-18 02:20 marc82ch Issue Monitored: marc82ch
09-12-18 14:53 stbu Issue Monitored: stbu
09-13-18 14:07 ferg Note Added: 0006854
09-13-18 14:07 ferg Status new => closed
09-13-18 14:07 ferg Resolution open => fixed
09-13-18 14:07 ferg Fixed in Version  => 4.0.59


Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
34 total queries executed.
28 unique queries executed.
Powered by Mantis Bugtracker