Mantis Bugtracker

Viewing Issue Simple Details Jump to Notes ] View Advanced ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0006184 [Resin] major always 09-11-18 00:59 09-13-18 14:07
Reporter marc82ch View Status public  
Assigned To
Priority normal Resolution fixed  
Status closed   Product Version 4.0.55
Summary 0006184: Path-based XSS in redirects from FileServlet
Description When a request to a directory is made without a trailing slash, FileServlet redirects to the version WITH a trailing slash with a 301 redirect.

When the original URL contains some evil in the path or query string, this is output unescaped (HTML escape) to the response body of the 301 response like so: "The URL has moved <a href="+encUrl+"</a>", where encUrl is properly URL-encoded, but not HTML escaped, which leads to an XSS vulnerability.
Additional Information The relevant part of the FileServlet source code is:

res.setHeader("Location", encUrl);
res.setContentType("text/html; charset=utf-8");

PrintWriter out = res.getWriter();

out.println("The URL has moved <a href=\"" + encUrl + "\">here</a>");
Attached Files

- Relationships

- Notes
09-12-18 02:19

BTW: In HttpServletResponseImpl.sendRedirect, there's similar code, but there the HTML escaping is performed. However, I'm wondering why only " and < are escaped and not >. While this may suffice to foil XSS attacks, it seems incomplete. Is there a good reason for this behavior?
09-13-18 14:07


- Issue History
Date Modified Username Field Change
09-11-18 00:59 marc82ch New Issue
09-12-18 02:19 marc82ch Note Added: 0006853
09-12-18 02:20 marc82ch Issue Monitored: marc82ch
09-12-18 14:53 stbu Issue Monitored: stbu
09-13-18 14:07 ferg Note Added: 0006854
09-13-18 14:07 ferg Status new => closed
09-13-18 14:07 ferg Resolution open => fixed
09-13-18 14:07 ferg Fixed in Version  => 4.0.59

Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
34 total queries executed.
28 unique queries executed.
Powered by Mantis Bugtracker