Jetty

Security / Directory Listing XSS present

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 6.1.15
  • Fix Version/s: 6.1.17
  • Component/s: Security and SSL
  • Labels:
    None
  • Number of attachments :
    1

Description

A Directory Listing XSS has been reported.

A reflective XSS can be induced whenever Jetty displays a web directory listing.

Client-side script code can be included in HTTP response by appending it next to directory listing's path, preceded by the ';' character.

Follows a PoC : 

$ echo -e "GET /cometd/dijit/;<script>alert(document.title);</script> HTTP/1.0\n\n" | nc 127.0.0.1 8080 
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8 
Content-Length: 5097 
Server: Jetty(7.0.0.pre5)

Issue Links

This issue relates to:
JETTY-1004 Vulnerability in ResourceHandler and DefaultServlet with aliases Blocker Resolved
This issue depends upon:
JETTY-992 URIUtil.encodePath() allows some characters to break the URI string Major Resolved

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Joakim Erdfelt added a comment -

Adding Proper HTML and URL encoding to prevent XSS (and other nasties) from executing.

Requires JETTY-992

Show
Joakim Erdfelt added a comment - Adding Proper HTML and URL encoding to prevent XSS (and other nasties) from executing. Requires JETTY-992
Hide
Permalink
Greg Wilkins added a comment -

Fixed

Show
Greg Wilkins added a comment - Fixed
Hide
Permalink
Greg Wilkins added a comment -

The encoding of directory links is still not entirely correct.

For example, if a file called /abc? exists, then the link for this
in a directory listing is being generated as /abc%253F/

ie, it is being encoded twice!

Show
Greg Wilkins added a comment - The encoding of directory links is still not entirely correct. For example, if a file called /abc? exists, then the link for this in a directory listing is being generated as /abc%253F/ ie, it is being encoded twice!
Hide
Permalink
Joakim Erdfelt added a comment -

Adding more tests for some bad encoding issues.

NOTE: patch just exercises the bug, does not fix the bug.

Show
Joakim Erdfelt added a comment - Adding more tests for some bad encoding issues. NOTE: patch just exercises the bug, does not fix the bug.
Hide
Permalink
Greg Wilkins added a comment -

fixed in JETTY-1004

Show
Greg Wilkins added a comment - fixed in JETTY-1004

People

Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for Codehaus. Try JIRA - bug tracking software for your team.