New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Page Not Found Handler Cross-site Scripting -- CVE-2020-11944 #292
Comments
|
I'm quite honestly disappointed that you didn't properly disclose this and instead chose to publicly display it in the issues for everyone to see. |
|
To anyone stumbling across this:
env['PATH_INFO'] = escape(env['PATH_INFO'], quote=True) right above the
You can verify this is the proper fix because something like Also, since this iteration of Abe is Python 2, I'm working on a Flask version which should be done soon* as well. |
this nonsense: bitcoin-abe#292
this nonsense: bitcoin-abe#292 Fixes bitcoin-abe#292
this nonsense: bitcoin-abe#292
|
Thanks for the fix @Lvl4Sword - merged in Abe too |
|
@dermoth Actually, since 3.2 |
|
Alright, so proper fix consists of the following: env['PATH_INFO'] = escape(env['PATH_INFO'], quote=True)right above the "dotdot": "../" * (env['PATH_INFO'].count('/') - 1),You can verify this is the proper fix because something like ( I've edited by above message to add this information ) |
bitcoin-abe#292 (comment) for more info
bitcoin-abe#292 (comment) for more info
|
This has been fixed, closed. |
A lack of filtering around line 253 of abe.py
allows attackers to abuse the Page Not Found error handler and pass rogue JavaScript to unsuspecting users using a specially crafted URL:
https://host.name/<img src=x onerror=alert(document.cookie)>">MITRE has assigned CVE-2020-11944 to this flaw. Thank you.
The text was updated successfully, but these errors were encountered: