Jetty

Security / Directory Listing XSS present

Details

  • Type: Bug Bug
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 6.1.15
  • Fix Version/s: 6.1.17
  • Component/s: Security and SSL
  • Labels:
    None
  • Number of attachments :
    1

Description

A Directory Listing XSS has been reported.

A reflective XSS can be induced whenever Jetty displays a web directory listing.

Client-side script code can be included in HTTP response by appending it next to directory listing's path, preceded by the ';' character.

Follows a PoC : 

$ echo -e "GET /cometd/dijit/;<script>alert(document.title);</script> HTTP/1.0\n\n" | nc 127.0.0.1 8080 
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8 
Content-Length: 5097 
Server: Jetty(7.0.0.pre5)

Issue Links

depends upon

Bug - A problem which impairs or prevents the functions of the product. JETTY-992 URIUtil.encodePath() allows some characters to break the URI string

  • Major - Major loss of function.
  • Resolved - A resolution has been taken, and it is awaiting verification by reporter. From here issues are either reopened, or are closed.
relates to

Bug - A problem which impairs or prevents the functions of the product. JETTY-1004 Vulnerability in ResourceHandler and DefaultServlet with aliases

  • Blocker - Blocks development and/or testing work, production could not run
  • Resolved - A resolution has been taken, and it is awaiting verification by reporter. From here issues are either reopened, or are closed.

Activity

No work has yet been logged on this issue.

People

  • Assignee:
    Greg Wilkins
    Reporter:
    Joakim Erdfelt
Vote (0)
Watch (1)

Dates

  • Created:
    Updated:
    Resolved: