Jetty
  1. Jetty
  2. JETTY-980

Security / Directory Listing XSS present

    Details

    • Type: Bug Bug
    • Status: Resolved Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 6.1.15
    • Fix Version/s: 6.1.17
    • Component/s: Security and SSL
    • Labels:
      None
    • Number of attachments :
      1

      Description

      A Directory Listing XSS has been reported.

      A reflective XSS can be induced whenever Jetty displays a web directory listing.

      Client-side script code can be included in HTTP response by appending it next to directory listing's path, preceded by the ';' character.

      Follows a PoC :

      $ echo -e "GET /cometd/dijit/;<script>alert(document.title);</script> HTTP/1.0\n\n" | nc 127.0.0.1 8080 
      HTTP/1.1 200 OK
      Content-Type: text/html; charset=utf-8 
      Content-Length: 5097 
      Server: Jetty(7.0.0.pre5)
      

        Issue Links

          Activity

          Hide
          Joakim Erdfelt added a comment -

          Adding Proper HTML and URL encoding to prevent XSS (and other nasties) from executing.

          Requires JETTY-992

          Show
          Joakim Erdfelt added a comment - Adding Proper HTML and URL encoding to prevent XSS (and other nasties) from executing. Requires JETTY-992
          Hide
          Greg Wilkins added a comment -

          Fixed

          Show
          Greg Wilkins added a comment - Fixed
          Hide
          Greg Wilkins added a comment -

          The encoding of directory links is still not entirely correct.

          For example, if a file called /abc? exists, then the link for this
          in a directory listing is being generated as /abc%253F/

          ie, it is being encoded twice!

          Show
          Greg Wilkins added a comment - The encoding of directory links is still not entirely correct. For example, if a file called /abc? exists, then the link for this in a directory listing is being generated as /abc%253F/ ie, it is being encoded twice!
          Hide
          Joakim Erdfelt added a comment -

          Adding more tests for some bad encoding issues.

          NOTE: patch just exercises the bug, does not fix the bug.

          Show
          Joakim Erdfelt added a comment - Adding more tests for some bad encoding issues. NOTE: patch just exercises the bug, does not fix the bug.
          Hide
          Greg Wilkins added a comment -

          fixed in JETTY-1004

          Show
          Greg Wilkins added a comment - fixed in JETTY-1004

            People

            • Assignee:
              Greg Wilkins
              Reporter:
              Joakim Erdfelt
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: