Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reflected XSS in handler_server_info #1227

Closed
mmmds opened this issue Jul 25, 2019 · 1 comment
Closed

Reflected XSS in handler_server_info #1227

mmmds opened this issue Jul 25, 2019 · 1 comment
Assignees
@skinkie
Labels
c:admin has-patch t:bug

Comments

@mmmds
Copy link

mmmds commented Jul 25, 2019
edited
Loading

Requested URL is improperly displayed on the About page. The problem occurs on default configuration in Cherokee and Cheroke administrator panel. XSS in administrator panel can be used to reconfigure the server and execute arbitrary commands.

PoC

http://127.0.0.1/about/"><script>alert(1)</script>
http://127.0.0.1:9090/about/"><script>alert(1)</script>

Setup:

  • Ubuntu 18.04 64 bit
  • source code from github, commit 9a75e65
  • build command:
ac_cv_func_realloc_0_nonnull=yes ac_cv_func_malloc_0_nonnull=yes LDFLAGS="-lasan" LDADD="-lasan" CFLAGS="-fsanitize=address -ggdb -O0 -fprofile-arcs -ftest-coverage" ./configure --prefix=`pwd`/bin --enable-trace --enable-static-module=all --enable-static --enable-shared=no
make
  • files in webroot mkdir /var/www/test{1..20}; for i in seq 1 20; do echo test > test$i/test.html; done
  • configuration file cherokee.txt

found by: Mateusz Kocielski, Michał Dardas from LogicalTrust
@skinkie skinkie self-assigned this Jul 25, 2019
@skinkie skinkie changed the title Reflected XSS in About page Reflected XSS in handler_server_info Oct 27, 2019
skinkie added a commit that referenced this issue Oct 27, 2019
@skinkie
Use relative paths in the handler_server_info page
39c6b73 
Issue #1227 describes a XSS vulnerability on the about page of cherokee-admin.
While the report by LogicalTrust only describes a JavaScript variant, a CSS method could also be probed via logo.gif.

The root cause is the request being verbatim copied in to the HTML template. The request could be escaped, but leads to the question: Why are we presenting a full path, instead of a
relative path to the page? This change removes the full path, and makes it relative. No URL is being printed in the template, and the XSS is avoided and therefore it should also be
faster.
@skinkie skinkie mentioned this issue Oct 27, 2019
Merged
skinkie added a commit that referenced this issue Nov 14, 2019
@skinkie
Add a QA test for issue #1227
b706555
skinkie added a commit that referenced this issue Nov 14, 2019
@skinkie
Use relative paths in the handler_server_info page (#1228)
7a7b2d2 
* Use relative paths in the handler_server_info page

Issue #1227 describes a XSS vulnerability on the about page of cherokee-admin, which uses Handler ServerInfo. While the report by LogicalTrust only describes a JavaScript variant, a CSS method could also be probed via logo.gif.

The root cause is the request being verbatim copied in to the HTML template. The request could be escaped, but leads to the question: Why are we presenting a full path, instead of a
relative path to the page? This change removes the full path, and makes it relative. No URL is being printed in the template, and the XSS is avoided and therefore it should also be
faster.

We have added QA test 307 for the issue.
@skinkie
Copy link
Member

skinkie commented Nov 14, 2019

@mmmds Thanks for doing the research on our code and reporting the issue. I have committed a patch and qa-test to our master branch.

@skinkie skinkie closed this as completed Nov 14, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skinkie skinkie

Labels
c:admin has-patch t:bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@skinkie @mmmds