OpenWrt/LEDE Project

  • Status Closed
  • Percent Complete
    100%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Votes
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by Tim Kent - 28.11.2018
Last edited by Jo-Philipp Wich - 28.11.2018

FS#1974 - uhttpd: unauthenticated reflected XSS issue

Hi,

I discovered an unauthenticated reflected XSS issue in OpenWRT 18.06.1:

$ curl -i 'http://router/cgi-bin/?<script>cross_site_scripting.nasl</script>'
HTTP/1.1 403 Forbidden
Connection: Keep-Alive
Transfer-Encoding: chunked
Keep-Alive: timeout=20
Content-Type: text/html

<h1>Forbidden</h1>You don't have permission to access /cgi-bin/?<script>cross_site_scripting.nasl</script> on this server.

You can see that the path is not being encoded. Most browsers these days will probably properly encode it when sending the request, but it’s still a good idea to fix it.

I can see where it needs to be encoded in cgi.c:
https://git.openwrt.org/?p=project/uhttpd.git;a=blob;f=cgi.c#l73

  67 static void cgi_handle_request(struct client *cl, char *url, struct path_info *pi)
  68 {
  69         unsigned int mode = S_IFREG | S_IXOTH;
  70 
  71         if (!pi->ip && !((pi->stat.st_mode & mode) == mode)) {
  72                 uh_client_error(cl, 403, "Forbidden",
  73                                 "You don't have permission to access %s on this server.",
  74                                 url);
  75                 return;
  76         }

There’s another instance of the same error message which appears to be properly encoded using uh_htmlescape() from utils.c, so you could probably just do the same:
https://git.openwrt.org/?p=project/uhttpd.git;a=blob;f=file.c#l693

 690         escaped_url = uh_htmlescape(url);
 691 
 692         uh_client_error(cl, 403, "Forbidden",
 693                         "You don't have permission to access %s on this server.",
 694                         escaped_url ? escaped_url : "the url");
 695 
 696         if (escaped_url)
 697                 free(escaped_url);

Cheers

Closed by  Jo-Philipp Wich
28.11.2018 16:36
Reason for closing:  Fixed
Additional comments about closing:  

Fix implemented

Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing