Jetty

Security / Directory Listing XSS present

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 6.1.15
  • Fix Version/s: 6.1.17
  • Component/s: Security and SSL
  • Labels:
    None
  • Number of attachments :
    1

Description

A Directory Listing XSS has been reported.

A reflective XSS can be induced whenever Jetty displays a web directory listing.

Client-side script code can be included in HTTP response by appending it next to directory listing's path, preceded by the ';' character.

Follows a PoC : 

$ echo -e "GET /cometd/dijit/;<script>alert(document.title);</script> HTTP/1.0\n\n" | nc 127.0.0.1 8080 
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8 
Content-Length: 5097 
Server: Jetty(7.0.0.pre5)

Issue Links

depends upon

Bug - A problem which impairs or prevents the functions of the product. JETTY-992 URIUtil.encodePath() allows some characters to break the URI string

  • Major - Major loss of function.
  • Resolved - A resolution has been taken, and it is awaiting verification by reporter. From here issues are either reopened, or are closed.
relates to

Bug - A problem which impairs or prevents the functions of the product. JETTY-1004 Vulnerability in ResourceHandler and DefaultServlet with aliases

  • Blocker - Blocks development and/or testing work, production could not run
  • Resolved - A resolution has been taken, and it is awaiting verification by reporter. From here issues are either reopened, or are closed.

Activity

Ascending order - Click to sort in descending order
Greg Wilkins made changes -
Field Original Value New Value
Assignee Joakim Erdfelt [ joakime ]
Joakim Erdfelt made changes -
Attachment JETTY-980.patch [ 41486 ]
Greg Wilkins made changes -
Link This issue depends upon JETTY-992 [ JETTY-992 ]
Greg Wilkins made changes -
Status Open [ 1 ] Resolved [ 5 ]
Fix Version/s 6.1.17.rc1 [ 15220 ]
Resolution Fixed [ 1 ]
Greg Wilkins made changes -
Status Resolved [ 5 ] Reopened [ 4 ]
Resolution Fixed [ 1 ]
Greg Wilkins made changes -
Assignee Joakim Erdfelt [ joakime ] Greg Wilkins [ gregw ]
Joakim Erdfelt made changes -
Attachment JETTY-980-more-tests.patch [ 41662 ]
Joakim Erdfelt made changes -
Attachment JETTY-980-more-tests.patch [ 41662 ]
Greg Wilkins made changes -
Link This issue relates to JETTY-1004 [ JETTY-1004 ]
Greg Wilkins made changes -
Status Reopened [ 4 ] Resolved [ 5 ]
Resolution Fixed [ 1 ]

People

  • Assignee:
    Greg Wilkins
    Reporter:
    Joakim Erdfelt
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: