Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Page Not Found Handler Cross-site Scripting -- CVE-2020-11944 #292

Closed
geeknik opened this issue Apr 20, 2020 · 6 comments
Closed

Page Not Found Handler Cross-site Scripting -- CVE-2020-11944 #292

geeknik opened this issue Apr 20, 2020 · 6 comments

Comments

@geeknik
Copy link

geeknik commented Apr 20, 2020

A lack of filtering around line 253 of abe.py

        except PageNotFound:
            page['status'] = '404 Not Found'
            page['body'] = ['<p class="error">Sorry, ', env['SCRIPT_NAME'],
                            env['PATH_INFO'],
                            ' does not exist on this server.</p>']

allows attackers to abuse the Page Not Found error handler and pass rogue JavaScript to unsuspecting users using a specially crafted URL:

https://host.name/<img src=x onerror=alert(document.cookie)>">

MITRE has assigned CVE-2020-11944 to this flaw. Thank you.

@Lvl4Sword
Copy link
Member

I'm quite honestly disappointed that you didn't properly disclose this and instead chose to publicly display it in the issues for everyone to see.
There are quite a few instances of Abe currently active that are vulnerable to this.

@Lvl4Sword
Copy link
Member

Lvl4Sword commented Apr 21, 2020

To anyone stumbling across this:

  • Change the from cgi import escape import to from html import escape
  • Within __call__, set:

env['PATH_INFO'] = escape(env['PATH_INFO'], quote=True)

right above the page dictionary, and then within the page dictionary, set:

"dotdot": "../" * (env['PATH_INFO'].count('/') - 1),

You can verify this is the proper fix because something like <BODY ONLOAD=alert('XSS')> will actually be presented into the HTML, as opposed to hidden and trying to be executed.

Also, since this iteration of Abe is Python 2,
take a look at my Woodcoin Python 3 fork of Abe at
https://github.com/woodcoin-core/woodcoin-explorer/ and use that for the time being.

I'm working on a Flask version which should be done soon* as well.

Lvl4Sword added a commit to woodcoin-core/woodcoin-explorer that referenced this issue Apr 21, 2020
dermoth pushed a commit to dermoth/bitcoin-abe that referenced this issue Apr 23, 2020
dermoth pushed a commit to dermoth/bitcoin-abe that referenced this issue Apr 23, 2020
@dermoth
Copy link
Member

dermoth commented Apr 23, 2020

Thanks for the fix @Lvl4Sword - merged in Abe too

@Lvl4Sword
Copy link
Member

Lvl4Sword commented Apr 23, 2020

@dermoth Actually, since 3.2 cgi.escape has been deprecated - https://docs.python.org/3.5/library/cgi.html#cgi.escape and html.escape is recommended instead with quote=True

@Lvl4Sword
Copy link
Member

Lvl4Sword commented Apr 23, 2020

Alright, so proper fix consists of the following:
Within __call__, set

env['PATH_INFO'] = escape(env['PATH_INFO'], quote=True)

right above the page dictionary. Then within the page dictionary, set

"dotdot": "../" * (env['PATH_INFO'].count('/') - 1),

You can verify this is the proper fix because something like
<BODY ONLOAD=alert('XSS')> will actually be presented into the HTML, as opposed to hidden and trying to be executed.

( I've edited by above message to add this information )

Lvl4Sword added a commit to woodcoin-core/woodcoin-explorer that referenced this issue Apr 23, 2020
dermoth pushed a commit to dermoth/bitcoin-abe that referenced this issue Jul 18, 2020
@Lvl4Sword
Copy link
Member

This has been fixed, closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants