Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS on 404 page of bugs.python.org #34

Closed
hannob opened this issue Mar 21, 2019 · 9 comments
Closed

XSS on 404 page of bugs.python.org #34

hannob opened this issue Mar 21, 2019 · 9 comments

Comments

@hannob
Copy link

hannob commented Mar 21, 2019

There's an XSS on the error page of bugs.python.org:
https://bugs.python.org/%3Cimg%20src=x%20onerror=alert%281%29%3E

(Not sure if this is the right place to report it, I already reported it to the python bugtracker itself despite it having no proper category for it https://bugs.python.org/issue36391 )

@JulienPalard
Copy link
Member

Hi @hannob! Thanks for reporting!

Looks to come from:

$ grep -r 'Not found'
roundup/cgi/wsgi_handler.py:            request.wfile.write('Not found: %s'%client.path)
frontends/roundup.cgi:                out.write('Not found: %s'%client.path)

may be fixed using cgi.escape().

Not sure how to do a pull request on this, @ewdurbin @ezio-melotti?

@ewdurbin
Copy link
Member

bugs.python.org branch at https://bitbucket.org/python/roundup/src/bugs.python.org/, and should likely be filed at issues.roundup-tracker.org as well

@JulienPalard
Copy link
Member

@ewdurbin It looks like I don't have the rights to push on this repo.

I'm proposing:

# HG changeset patch
# User Julien Palard <julien@palard.fr>
# Date 1553279943 -3600
#      Fri Mar 22 19:39:03 2019 +0100
# Branch bugs.python.org
# Node ID 229ada7883f19aaf95f764c08e0f5cebc43844e2
# Parent  d7454b42b914a69e6d1e1de99fe79fa6c8d6d982
FIX: XSS reported by hannob

fixes: https://github.com/python/bugs.python.org/issues/34

diff -r d7454b42b914 -r 229ada7883f1 frontends/roundup.cgi
--- a/frontends/roundup.cgi	Tue Oct 09 17:48:10 2018 -0700
+++ b/frontends/roundup.cgi	Fri Mar 22 19:39:03 2019 +0100
@@ -179,7 +179,7 @@
                 request.send_response(404)
                 request.send_header('Content-Type', 'text/html')
                 request.end_headers()
-                out.write('Not found: %s'%client.path)
+                out.write('Not found: %s'%cgi.escape(client.path))
 
     else:
         import urllib
diff -r d7454b42b914 -r 229ada7883f1 roundup/cgi/wsgi_handler.py
--- a/roundup/cgi/wsgi_handler.py	Tue Oct 09 17:48:10 2018 -0700
+++ b/roundup/cgi/wsgi_handler.py	Fri Mar 22 19:39:03 2019 +0100
@@ -66,7 +66,7 @@
             client.main()
         except roundup.cgi.client.NotFound:
             request.start_response([('Content-Type', 'text/html')], 404)
-            request.wfile.write('Not found: %s'%client.path)
+            request.wfile.write('Not found: %s'%cgi.escape(client.path))
 
         # all body data has been written using wfile
         return []

@JulienPalard
Copy link
Member

@ewdurbin
Copy link
Member

@fgeek
Copy link

fgeek commented Apr 6, 2019

@hannob Did you request a CVE identifier for this vulnerability?

@hannob
Copy link
Author

hannob commented Apr 6, 2019

@hannob Did you request a CVE identifier for this vulnerability?

No, after my last experiences with CVE assignments I decided that I'll just stop caring about it. If you care about it feel free to try to assign one. I posted it to oss-sec and sometimes this causes other people to request CVEs.

@fgeek
Copy link

fgeek commented Apr 6, 2019

Alright. CVE requested via https://cveform.mitre.org/. Have a nice weekend.

@fgeek
Copy link

fgeek commented Apr 6, 2019

Use CVE-2019-10904.

ewdurbin pushed a commit to psf/bpo-roundup that referenced this issue Jun 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants