-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reflected XSS in handler_server_info #1227
Comments
skinkie
changed the title
Reflected XSS in About page
Reflected XSS in handler_server_info
Oct 27, 2019
skinkie
added a commit
that referenced
this issue
Oct 27, 2019
Issue #1227 describes a XSS vulnerability on the about page of cherokee-admin. While the report by LogicalTrust only describes a JavaScript variant, a CSS method could also be probed via logo.gif. The root cause is the request being verbatim copied in to the HTML template. The request could be escaped, but leads to the question: Why are we presenting a full path, instead of a relative path to the page? This change removes the full path, and makes it relative. No URL is being printed in the template, and the XSS is avoided and therefore it should also be faster.
skinkie
added a commit
that referenced
this issue
Nov 14, 2019
skinkie
added a commit
that referenced
this issue
Nov 14, 2019
* Use relative paths in the handler_server_info page Issue #1227 describes a XSS vulnerability on the about page of cherokee-admin, which uses Handler ServerInfo. While the report by LogicalTrust only describes a JavaScript variant, a CSS method could also be probed via logo.gif. The root cause is the request being verbatim copied in to the HTML template. The request could be escaped, but leads to the question: Why are we presenting a full path, instead of a relative path to the page? This change removes the full path, and makes it relative. No URL is being printed in the template, and the XSS is avoided and therefore it should also be faster. We have added QA test 307 for the issue.
@mmmds Thanks for doing the research on our code and reporting the issue. I have committed a patch and qa-test to our master branch. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Requested URL is improperly displayed on the About page. The problem occurs on default configuration in Cherokee and Cheroke administrator panel. XSS in administrator panel can be used to reconfigure the server and execute arbitrary commands.
PoC
Setup:
mkdir /var/www/test{1..20}; for i in
seq 1 20; do echo test > test$i/test.html; done
found by: Mateusz Kocielski, Michał Dardas from LogicalTrust
The text was updated successfully, but these errors were encountered: