Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS in case of 400 error #1223

mmmds opened this issue Jul 25, 2019 · 0 comments


Copy link

commented Jul 25, 2019

If Bad Request condition occurs, the server responds with copy of the request.

Function cherokee_buffer_add_escape_html is not working properly if buffer
contains \x00:

1502  	if ((p0 = strpbrk (src->buf, "<>&\"")) == NULL) {
1503  		/* No escape found, simply add src to buf.
1504  		 */
1505  		return cherokee_buffer_add_buffer (buf, src);
1506  	}

If there's no characters before \x00 to escape then this function simply adds
data to a buffer which results in unescaped data after \x00.


 139  	case http_bad_request:
140  		cherokee_buffer_add_str (buffer,
141  		    "Your browser sent a request that this server could not understand.");
142  		cherokee_buffer_add_str   (buffer, "<p><pre>");
143  		cherokee_buffer_add_escape_html (buffer, conn->header.input_buffer);
144  		cherokee_buffer_add_str   (buffer, "</pre>");
145  		break;
  1. request is not escaped, thus is prone to XSS (we haven't investigated if
    real life scenarios exists).

  2. probably copying request is not the best idea from the security point of
    view, as it can reveal cookies etc. in response body. Additionally if
    server is used behind reverse proxy, it can leak internal headers .


  • Ubuntu 18.04 64 bit

  • source code from github, commit 9a75e65

  • build command:

ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes LDFLAGS="-lasan" LDADD="-lasan" CFLAGS="-fsanitize=address -ggdb -O0 -fprofile-arcs -ftest-coverage" ./configure --prefix=`pwd`/bin --enable-trace --enable-static-module=all --enable-static --enable-shared=no
  • files in webroot mkdir /var/www/test{1..20}; for i in seq 1 20; do echo test > test$i/test.html; done
  • configuration file cherokee.txt

found by: Mateusz Kocielski, Michał Dardas from LogicalTrust

@skinkie skinkie self-assigned this Jul 25, 2019

@skinkie skinkie added the t:bug label Jul 25, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
2 participants
You can’t perform that action at this time.