New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed XSS issue #26

Merged
merged 1 commit into from Jan 22, 2015

Conversation

Projects
None yet
2 participants
@ldrrp
Contributor

ldrrp commented Jan 19, 2015

Response data from commands is not escaped before printing, leading to a potential XSS attack on all sites hosting the looking glass.

This can potentially even lead to viable attacks across subdomains via session fixation. (User is tricked into going to this url, either in a hidden iframe/etc. Cookies are overwritten with attacker controlled cookies, and user logs in while still using attacker controlled cookies)

A proof of concept can be viewed by going to the URL in the looking glass:
/ajax.php?cmd=host&host=87.204.122.210

The reverse DNS record for that domain contains html which inserts an image into the page.

Fixed XSS issue
Response data from commands is not escaped before printing, leading to a potential XSS attack on all sites hosting the looking glass.

This can potentially even lead to viable attacks across subdomains via session fixation. (User is tricked into going to this url, either in a hidden iframe/etc. Cookies are overwritten with attacker controlled cookies, and user logs in while still using attacker controlled cookies)

A proof of concept can be viewed by going to the URL in the looking glass:
/ajax.php?cmd=host&host=87.204.122.210

The reverse DNS record for that domain contains html which inserts an image into the page.

telephone added a commit that referenced this pull request Jan 22, 2015

@telephone telephone merged commit 6334dae into telephone:master Jan 22, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment