You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
You don't have permission to access /cgi-bin/?<script>cross_site_scripting.nasl</script> on this server.
You can see that the path is not being encoded. Most browsers these days will probably properly encode it when sending the request, but it's still a good idea to fix it.
timk:
Hi,
I discovered an unauthenticated reflected XSS issue in OpenWRT 18.06.1:
$ curl -i 'http://router/cgi-bin/?<script>cross_site_scripting.nasl</script>'
HTTP/1.1 403 Forbidden
Connection: Keep-Alive
Transfer-Encoding: chunked
Keep-Alive: timeout=20
Content-Type: text/html
Forbidden
You don't have permission to access /cgi-bin/?<script>cross_site_scripting.nasl</script> on this server.You can see that the path is not being encoded. Most browsers these days will probably properly encode it when sending the request, but it's still a good idea to fix it.
I can see where it needs to be encoded in cgi.c:
https://git.openwrt.org/?p=project/uhttpd.git;a=blob;f=cgi.c#l73
67 static void cgi_handle_request(struct client *cl, char *url, struct path_info *pi)
68 {
69 unsigned int mode = S_IFREG | S_IXOTH;
70
71 if (!pi->ip && !((pi->stat.st_mode & mode) == mode)) {
72 uh_client_error(cl, 403, "Forbidden",
73 "You don't have permission to access %s on this server.",
74 url);
75 return;
76 }
There's another instance of the same error message which appears to be properly encoded using uh_htmlescape() from utils.c, so you could probably just do the same:
https://git.openwrt.org/?p=project/uhttpd.git;a=blob;f=file.c#l693
690 escaped_url = uh_htmlescape(url);
691
692 uh_client_error(cl, 403, "Forbidden",
693 "You don't have permission to access %s on this server.",
694 escaped_url ? escaped_url : "the url");
695
696 if (escaped_url)
697 free(escaped_url);
Cheers
The text was updated successfully, but these errors were encountered: