| Anonymous | Login | Signup for a new account | 12-17-2024 08:52 PST |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0006184 | [Resin] | major | always | 09-11-18 00:59 | 09-13-18 14:07 | ||||
| Reporter | marc82ch | View Status | public | ||||||
| Assigned To | |||||||||
| Priority | normal | Resolution | fixed | ||||||
| Status | closed | Product Version | 4.0.55 | ||||||
| Summary | 0006184: Path-based XSS in redirects from FileServlet | ||||||||
| Description |
When a request to a directory is made without a trailing slash, FileServlet redirects to the version WITH a trailing slash with a 301 redirect. When the original URL contains some evil in the path or query string, this is output unescaped (HTML escape) to the response body of the 301 response like so: "The URL has moved <a href="+encUrl+"</a>", where encUrl is properly URL-encoded, but not HTML escaped, which leads to an XSS vulnerability. |
||||||||
| Additional Information |
The relevant part of the FileServlet source code is: res.setStatus(HttpServletResponse.SC_MOVED_PERMANENTLY); res.setHeader("Location", encUrl); res.setContentType("text/html; charset=utf-8"); PrintWriter out = res.getWriter(); out.println("The URL has moved <a href=\"" + encUrl + "\">here</a>"); |
||||||||
| Attached Files | |||||||||
|
|
|||||||||
 Relationships |
|
|
Notes |
|
|
(0006853) marc82ch 09-12-18 02:19 |
BTW: In HttpServletResponseImpl.sendRedirect, there's similar code, but there the HTML escaping is performed. However, I'm wondering why only " and < are escaped and not >. While this may suffice to foil XSS attacks, it seems incomplete. Is there a good reason for this behavior? |
|
(0006854) ferg 09-13-18 14:07 |
server/001w |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 09-11-18 00:59 | marc82ch | New Issue | |
| 09-12-18 02:19 | marc82ch | Note Added: 0006853 | |
| 09-12-18 02:20 | marc82ch | Issue Monitored: marc82ch | |
| 09-12-18 14:53 | stbu | Issue Monitored: stbu | |
| 09-13-18 14:07 | ferg | Note Added: 0006854 | |
| 09-13-18 14:07 | ferg | Status | new => closed |
| 09-13-18 14:07 | ferg | Resolution | open => fixed |
| 09-13-18 14:07 | ferg | Fixed in Version | => 4.0.59 |
| Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
34 total queries executed. 28 unique queries executed. |  |
