Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#1974 - uhttpd: unauthenticated reflected XSS issue #6868

Closed
openwrt-bot opened this issue Nov 28, 2018 · 2 comments
Closed

FS#1974 - uhttpd: unauthenticated reflected XSS issue #6868

openwrt-bot opened this issue Nov 28, 2018 · 2 comments
Labels

Comments

@openwrt-bot
Copy link

@openwrt-bot openwrt-bot commented Nov 28, 2018

timk:

Hi,

I discovered an unauthenticated reflected XSS issue in OpenWRT 18.06.1:

$ curl -i 'http://router/cgi-bin/?<script>cross_site_scripting.nasl</script>'
HTTP/1.1 403 Forbidden
Connection: Keep-Alive
Transfer-Encoding: chunked
Keep-Alive: timeout=20
Content-Type: text/html

Forbidden

You don't have permission to access /cgi-bin/?<script>cross_site_scripting.nasl</script> on this server.

You can see that the path is not being encoded. Most browsers these days will probably properly encode it when sending the request, but it's still a good idea to fix it.

I can see where it needs to be encoded in cgi.c:
https://git.openwrt.org/?p=project/uhttpd.git;a=blob;f=cgi.c#l73

67 static void cgi_handle_request(struct client *cl, char *url, struct path_info *pi)
68 {
69 unsigned int mode = S_IFREG | S_IXOTH;
70
71 if (!pi->ip && !((pi->stat.st_mode & mode) == mode)) {
72 uh_client_error(cl, 403, "Forbidden",
73 "You don't have permission to access %s on this server.",
74 url);
75 return;
76 }

There's another instance of the same error message which appears to be properly encoded using uh_htmlescape() from utils.c, so you could probably just do the same:
https://git.openwrt.org/?p=project/uhttpd.git;a=blob;f=file.c#l693

690 escaped_url = uh_htmlescape(url);
691
692 uh_client_error(cl, 403, "Forbidden",
693 "You don't have permission to access %s on this server.",
694 escaped_url ? escaped_url : "the url");
695
696 if (escaped_url)
697 free(escaped_url);

Cheers

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant