[
https://issues.apache.org/jira/browse/TS-3095?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Javier Nieto updated TS-3095:
-----------------------------
Summary: XSS flaws due to unescaped hostnames (was: Apache Traffic Server
- XSS flaws due to unescaped hostnames)
> XSS flaws due to unescaped hostnames
> ------------------------------------
>
> Key: TS-3095
> URL: https://issues.apache.org/jira/browse/TS-3095
> Project: Traffic Server
> Issue Type: Bug
> Reporter: Javier Nieto
>
> I've found a security issue in Apache Traffic Server v4.0.2 and 4.1.2. I
> believe it is similar to CVE-2012-3499.
> The vulnerability is due to unescaped hostnames.
> If we change the hostname in the HTTP header by HTML code, Apache Traffic
> Server does not properly filter HTML code from user-supplied input before
> displaying the input. A remote user can cause arbitrary scripting code to be
> executed by the target user's browser. The code will originate from the site
> running the Apache software and will run in the security context of that
> site. As a result, the code will be able to access the target user's cookies
> (including authentication cookies), if any, associated with the site, access
> data recently submitted by the target user via web form to the site, or take
> actions on the site acting as the target user.
> Let me show you a POC:
> https://drive.google.com/file/d/0B7mOdnCWDYLBa3VQTHNjZGN0OU0/edit?usp=sharing
> I did several tests and I was able to get the user cookies by changing the
> hostname (in the HTTP header) to this code <img src=x
> onerror=alert(document.cookie)>
> The latest version 4.2.0 and 4.2.1 don't have this problem. I think this bug
> should have a CVE in order to let the administrators to know the risk of
> using this version.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
