|Anonymous | Login | Signup for a new account||05-29-2023 21:29 PDT|
|Main | My View | View Issues | Change Log | Docs|
|Viewing Issue Simple Details [ Jump to Notes ]||[ View Advanced ] [ Issue History ] [ Print ]|
|ID||Category||Severity||Reproducibility||Date Submitted||Last Update|
|0006184||[Resin]||major||always||09-11-18 00:59||09-13-18 14:07|
|Summary||0006184: Path-based XSS in redirects from FileServlet|
When a request to a directory is made without a trailing slash, FileServlet redirects to the version WITH a trailing slash with a 301 redirect.
When the original URL contains some evil in the path or query string, this is output unescaped (HTML escape) to the response body of the 301 response like so: "The URL has moved <a href="+encUrl+"</a>", where encUrl is properly URL-encoded, but not HTML escaped, which leads to an XSS vulnerability.
The relevant part of the FileServlet source code is:
PrintWriter out = res.getWriter();
out.println("The URL has moved <a href=\"" + encUrl + "\">here</a>");
|BTW: In HttpServletResponseImpl.sendRedirect, there's similar code, but there the HTML escaping is performed. However, I'm wondering why only " and < are escaped and not >. While this may suffice to foil XSS attacks, it seems incomplete. Is there a good reason for this behavior?|
|09-11-18 00:59||marc82ch||New Issue|
|09-12-18 02:19||marc82ch||Note Added: 0006853|
|09-12-18 02:20||marc82ch||Issue Monitored: marc82ch|
|09-12-18 14:53||stbu||Issue Monitored: stbu|
|09-13-18 14:07||ferg||Note Added: 0006854|
|09-13-18 14:07||ferg||Status||new => closed|
|09-13-18 14:07||ferg||Resolution||open => fixed|
|09-13-18 14:07||ferg||Fixed in Version||=> 4.0.59|
| Mantis 1.0.0rc3[^]
Copyright © 2000 - 2005 Mantis Group
34 total queries executed.|
28 unique queries executed.