Don't show user-supplied content in error pages #212
Comments
|
I don't think I follow: Are you worried about a user manipulating a URL in his browser and then being phished in to copy/pasting to the address bar the URL that is suggested by himself...? Or are you worried about a user visiting a malicious site that redirects the user to your site and displays non-clickable text that the user would then copy/paste in to the address bar? Both seem far-fetched to me, unless there's something that I'm missing. OTOH: it could be a good idea to minimize the information in the error message on a false request to the redirect URI, I don't dis-agree with that. |
|
The actual vector here is https://www.owasp.org/index.php/Content_Spoofing, basically an adversary sending an URL to somebody and hoping that they give it more trust based on domain in scope. I do agree though on the questionability with regard to successful exploitation :) Thanks for fixing nevertheless! Already got 2 reports about this by some reporters, so that will keep the noise down once we've redeployed via Ansible :) |
|
it is in release 2.1.4 now |
|
This has been assigned CVE-2017-6059 |
First: Thanks for this awesome Apache module! :) 馃殌
Via our Bug Bounty program we got some reports of Text Injections in the error pages such as
https://logs.nextcloud.com/redirect_uri?THE......SERVER.....WAS.....NOT......FOUND......PLEASE......GO......TO.....MALICIOUSLINK.COMwhich would render as:While I don't really see this as security relevant issue since spaces etc. are properly converted it would be awesome if the error messages would not show the user-supplied content as I'm sure I'll have otherwise to cope with some more of these reports :)
The text was updated successfully, but these errors were encountered: