httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erik Abele <>
Subject Possible css vulnerability
Date Sun, 25 Aug 2002 13:52:27 GMT
Joshua Slive wrote:
   > wrote:
   >  > erikabele    2002/08/24 15:25:16
   >  >
   >  >   Modified:    docs/error HTTP_BAD_GATEWAY.html.var
   >  >                         HTTP_INTERNAL_SERVER_ERROR.html.var
   >  >                docs/error/include top.html
   >  >   Log:
   >  >   Added encoding="none" for the ssi-output of REDIRECT_ERROR_NOTES.
   >  >   This fixes the output of HTML-tags through the above env-var (e.g.
   >  >   <p> instead of &lt;p&gt;).
   > Hmmm... We need a security-review of this change.  Is it possible 
in any
   > way for the client to insert something into REDIRECT_ERROR_NOTES?  If
   > so, this change must be reversed, because it opens a
   > Cross-site-scripting vulnerability.
   > I don't know the answer, but we need to be careful here.

Hi Joshua !

A grep for 'error-notes' and 'APLOG_TOCLIENT' on the whole source tree
revealed all the places, in which the (REDIRECT_)ERROR_NOTES env-var is
set for output. I inspected all these codesections thoroughly and found
out, that almost every single output, which was coming from the client-side
(for example bad URLs) and is _not_ hardcoded, is properly escaped with

There are some places where the escaping with ap_escape_html() is
missing. Attached a file with all the places I've found. IMO we should
consider escaping these too, since they are used for example in the
canned error messages and therefore should be properly escaped anyway!

I'm definetely not a specialist in css issues and therefore would
greatly appreciate some thoughts from the big boys. IMO
it should be safe for us to keep encoding="none" in the ssi-echos, if
all, possibly malicious, input from the client-side is properly escaped
in the codeplaces where the ERROR_NOTES env-var gets set.

What do you think? Am I missing something?

BTW, while browsing through the source I discovered a place in
proxy_util.c (line 612), where the output isn't XHTMLized so far:

      apr_table_setn(r->notes, "error-notes",
		"The proxy server could not handle the request "
		"<EM><A HREF=\"", ap_escape_uri(r->pool, r->uri),
		"\">", ap_escape_html(r->pool, r->method),
		ap_escape_html(r->pool, r->uri), "</A></EM>.<P>\n"
		"Reason: <STRONG>",
		ap_escape_html(r->pool, message),
		"</STRONG>", NULL));

Since all other output and the error documents are valid XHTML, I think
we should change this too. I will prepare a patch for this and post it
on the dev list.

BTW, I inspected the following files:


and some more, but they are not relevant at all.

Erik :-)

View raw message