XSS in the RequestLoggerMiddleware.cs #3279
Comments
|
XSS is very context specific. What you describe above would e.g. not do any harm in a console output (and we cannot know how you plan to output your log files). IOW - you protect yourself against XSS with output encoding, not input sanitization. As a side note - this logger is only part of our test host. Not IdentityServer. |
|
btw - are you the author of this https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12250 |
|
Quick heads up, there are guidelines in place for reporting security issues: https://github.com/IdentityServer/IdentityServer4/blob/master/SECURITY.MD |
|
@JameelNabbo I contacted CVE to take the entry down, as it is obviously not a security problem. If you are the author please do the same. For the "security researcher" I have advice for the future
|
|
This came up as an item for the team I'm on to check into since it shows up on CVE lists still. I wanted to share a bit more detailed explanation about some reasons why I believe this is not an issue for IdenttiyServer4 consumers. (To be clear, I'm not a security researcher. But if the earlier points didn't clarify it enough, I think these points are more than sufficient to alleviate concerns for teams using IdentityServer).
Hope this helps somebody else out. |
|
The real problem is that @JameelNabbo doesn’t know what he is talking about, ignored all best practices wrt to responsible disclosure and opened a CVE instead. Now he doesn’t even have the decency to correct this mistake. Case closed. |
|
This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs. |
Hi,
https://github.com/IdentityServer/IdentityServer4/blob/master/src/IdentityServer4/host/Extensions/RequestLoggerMiddleware.cs
in the LogForErrorContext method the PARAM httpContext is not filtred, and can be injected with XSS payload onerror="alert(String.fromCharCode(88,83,83)) in which can be triggred from the log as well.
static ILogger LogForErrorContext(HttpContext httpContext)
{
var request = httpContext.Request;
The text was updated successfully, but these errors were encountered: