#1019: CVE-2009-0417: Cross-site scripting vulnerability in handling of incoming
URLs
----------------------+-----------------------------------------------------
Reporter: david | Owner: david
Type: defect | Status: new
Priority: highest | Milestone: 0.11.6
Component: request | Version: 0.11.5
Severity: critical | Keywords:
Has_patch: 0 |
----------------------+-----------------------------------------------------
According to [http://tools.ietf.org/html/rfc3986 RFC 3986], several
characters including certain HTML special chars are not allowed literally
in URLs and need to be percent-encoded. However, some browsers (at least
Microsoft Internet Explorer versions 6 and 7) violate this rule, and send
URLs with improper encoding to the web server. As a consequence, CGI
variables such as {{{REQUEST_URI}}} and {{{QUERY_STRING}}} contain
potentially harmful characters that can lead to cross-site scripting
attack vectors in HTML documents.
Agavi uses these variables to determine the request URL, among others, and
also outputs this data without further modification in certain places:
* {{{AgaviWebRouting::gen(null)}}}
* {{{gen('routename'}}}) or {{{gen(null, array('foo' => 'bar'))}}} etc
are '''not''' affected
* {{{AgaviWebRequest::getRequestUri()}}}
* {{{AgaviWebRequest::getUrlPath()}}}
* {{{AgaviWebRequest::getUrlQuery()}}}
* {{{AgaviWebRequest::getUrl()}}}
Using any of these methods in HTML output of applications running an
affected version of Agavi may allow attackers to craft malicious URLs that
they can use to inject code into the resulting HTML documents, e.g. by
sending such a malicious URL to a person who then clicks the URL.
Affected versions:
* Agavi/0.11 up to and including Agavi/0.11.6-RC2
* Agavi/1.0 up to and including Agavi/1.0.0-beta7
Available fixes:
* Upgrade to Agavi/0.11.6 or Agavi/1.0.0-beta8
* Apply one of the attached patches to your copy of Agavi
Possible workarounds:
* Apply one of the attached patches to your copy of Agavi
* Use [http://www.suhosin.org/ Suhosin] version [http://www.hardened-
php.net/suhosin/changelog.html#version_0.9.21 0.9.21] or later which
[http://blog.php-security.org/archives/94-Suhosin-0.9.21-XSS-
Protection.html protects against this]
* Wrap any occurences of calls to the methods above using PHP's
{{{htmlspecialchars()}}} method if you're outputting them in your HTML
* Sanitize the affected {{{$_SERVER}}} values before calling
{{{AgaviContext::getInstance()}}}
* the attached patches should serve as an adequate HOWTO
* be advised that in this case, other variables such as
{{{HTTP_X_REWRITE_URL}}} or {{{ORIG_PATH_INFO}}}, may need the same
treatment, depending on your server configuration
We'd like to thank Daniel Kubitza for advising us of this issue.
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name '''CVE-2009-0417''' to this issue. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.[[BR]]
You can view details on the vulnerability at the following URL:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0417
If you have questions about this vulnerability, please direct them to the
users mailing list.
--
Ticket URL: <http://trac.agavi.org/ticket/1019>
Agavi <http://www.agavi.org/>
An MVC Framework for PHP5
_______________________________________________
Agavi Tickets Mailing List
[email protected]
http://lists.agavi.org/mailman/listinfo/tickets
