|
Mantis - Resin
|
|||||
| Viewing Issue Advanced Details | |||||
|
|
|||||
| ID: | Category: | Severity: | Reproducibility: | Date Submitted: | Last Update: |
| 6184 | major | always | 09-11-18 00:59 | 09-13-18 14:07 | |
|
|
|||||
| Reporter: | marc82ch | Platform: | |||
| Assigned To: | OS: | ||||
| Priority: | normal | OS Version: | |||
| Status: | closed | Product Version: | 4.0.55 | ||
| Product Build: | Resolution: | fixed | |||
| Projection: | none | ||||
| ETA: | none | Fixed in Version: | 4.0.59 | ||
|
|
|||||
| Summary: | 0006184: Path-based XSS in redirects from FileServlet | ||||
| Description: |
When a request to a directory is made without a trailing slash, FileServlet redirects to the version WITH a trailing slash with a 301 redirect. When the original URL contains some evil in the path or query string, this is output unescaped (HTML escape) to the response body of the 301 response like so: "The URL has moved <a href="+encUrl+"</a>", where encUrl is properly URL-encoded, but not HTML escaped, which leads to an XSS vulnerability. |
||||
| Steps To Reproduce: | |||||
| Additional Information: |
The relevant part of the FileServlet source code is: res.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); res.setHeader("Location", encUrl); res.setContentType("text/html; charset=utf-8"); PrintWriter out = res.getWriter(); out.println("The URL has moved <a href=\"" + encUrl + "\">here</a>"); |
||||
| Relationships | |||||
| Attached Files: | |||||
| Notes | |||||
|
|
|||||
|
|
||||
|
|
|||||
|
|
||||