Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS through X-Forwarded-For header spoofing #346

Closed
GoogleCodeExporter opened this issue Jun 21, 2015 · 5 comments
Closed

XSS through X-Forwarded-For header spoofing #346

GoogleCodeExporter opened this issue Jun 21, 2015 · 5 comments
Labels
auto-migrated Security

Comments

@GoogleCodeExporter
Copy link 

It is possible to inject an XSS payload via a "X-Forwarded-For" manipulated 
header that will be unescaped rendered as the remote address in the sessions 
report page.

IMO the bug is in the MonitoringFilter.putUserInfoInSession() method, because 
of the "X-Forwarded-For" header should be handled as untrusted input data:

final String forwardedFor = httpRequest.getHeader("X-Forwarded-For");
final String remoteAddr;            
if (forwardedFor == null) {                                                     
                            remoteAddr = httpRequest.getRemoteAddr();           

} else {                      
  remoteAddr = httpRequest.getRemoteAddr() + " forwarded for " + forwardedFor;                                                 
}
session.setAttribute(SessionInformations.SESSION_REMOTE_ADDR, remoteAddr);

Original issue reported on code.google.com by rafael.l...@osoco.es on 26 Sep 2013 at 4:48
@GoogleCodeExporter
Copy link
Author 

First, I acknowledge the issue.

I think that the fix should be to have an escaped rendering.

I will fix that shortly.
Many thanks for the report.

Original comment by evernat@free.fr on 26 Sep 2013 at 10:01

@GoogleCodeExporter
Copy link
Author 

It is now fixed.
It's committed in trunk (revision 3515) and it's ready for the next release 
(1.47).

If you need it, I have made a new build including the fix and it's available 
for your webapp at:
https://javamelody.googlecode.com/files/javamelody-20130927.jar

Note that the release 1.47, including that fix, is supposed to be released in 
just a few days from now.

Original comment by evernat@free.fr on 26 Sep 2013 at 10:22

  • Changed state: Fixed

@GoogleCodeExporter
Copy link
Author 

And the new build of the plugin for JIRA, Confluence and Bamboo is available at:
https://javamelody.googlecode.com/files/jira-javamelody-20130927.jar

Original comment by evernat@free.fr on 26 Sep 2013 at 10:33

@GoogleCodeExporter
Copy link
Author 

Thank you for the fast fix.

I requestes a CVE ID for the issue. We can refer to it as CVE-2013-4378.

Rafa

Original comment by rafael.l...@osoco.es on 27 Sep 2013 at 8:31

@GoogleCodeExporter
Copy link
Author 

CVE is available at
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4378

Original comment by evernat@free.fr on 2 Oct 2013 at 7:03

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auto-migrated Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@GoogleCodeExporter