[Bug 58226] New: XSS in Error Page

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 58226] New: XSS in Error Page

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58226

            Bug ID: 58226
           Summary: XSS in Error Page
           Product: Apache httpd-2
           Version: 2.4.12
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Win32 MSI Installer
          Assignee: [hidden email]
          Reporter: [hidden email]

Created attachment 32983
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=32983&action=edit
Hove over the link and see the payload

Setup Details : Apache/2.4.12 (Win32) OpenSSL/1.0.1m PHP/5.6.11

Request to server:

GET /not_existing_link HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101
Firefox/39.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: javascript:alert(1)//452bce05
Cookie: _ga=GA1.1.1225409471.1439004440; _gat=1
Connection: keep-alive

When we send the above request to the server, the script in the referer header
(Referer: javascript:alert(1)//452bce05) gets embedded in the error page.

This gets executed when the user clicks on the link.(Image attached)

The same can be used for SELF XSS.

Recommendation: Convert respective characters from the referer header into
their HTML entities.

--
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 58226] XSS in Error Page

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58226

--- Comment #1 from [hidden email] ---
I have the same issue for

aim-server[~/tmp/deti_dohtur]$ httpd -M  
Loaded Modules:
 core_module (static)
 so_module (static)
 http_module (static)
 authz_core_module (shared)
 access_compat_module (shared)
 socache_shmcb_module (shared)
 include_module (shared)
 mime_module (shared)
 log_config_module (shared)
 env_module (shared)
 headers_module (shared)
 setenvif_module (shared)
 ssl_module (shared)
 mpm_event_module (shared)
 unixd_module (shared)
 autoindex_module (shared)
 suexec_module (shared)
 negotiation_module (shared)
 dir_module (shared)
 actions_module (shared)
 userdir_module (shared)
 alias_module (shared)
 rewrite_module (shared)
 fastcgi_module (shared)
aim-server[~/tmp/deti_dohtur]$ httpd -V
Server version: Apache/2.4.25 (Unix)
Server built:   May 21 2017 22:05:06
Server's Module Magic Number: 20120211:67
Server loaded:  APR 1.5.2, APR-UTIL 1.5.4
Compiled using: APR 1.5.2, APR-UTIL 1.5.4
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/bin/suexec"
 -D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"
aim-server[~/tmp/deti_dohtur]$ httpd -l
Compiled in modules:
  core.c
  mod_so.c
  http_core.c
aim-server[~/tmp/deti_dohtur]$ uname -a
Linux aim-server.crtdev.local 4.11.3-1-ARCH #1 SMP PREEMPT Sun May 28 10:40:17
CEST 2017 x86_64 GNU/Linux
aim-server[~/tmp/deti_dohtur]$

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 58226] XSS in Error Page

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58226

[hidden email] changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |major

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 58226] XSS in Error Page

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58226

[hidden email] changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|Win32 MSI Installer         |Core

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 58226] XSS in Error Page

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58226

--- Comment #2 from [hidden email] ---
It seems you have to change the templates likes
/usr/share/httpd/error/HTTP_NOT_FOUND.html.var
sanitize the HTTP_REFERER variable

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

[Bug 58226] XSS in Error Page

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=58226

[hidden email] changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|2.4.12                      |2.4.25

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]