** Description changed: [Impact] - Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html + Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header. [Test Case] - Described as POC at https://www.redteam-pentesting.de/en/advisories/rt- + Described as POC at https://www.redteam-pentesting.de/en/advisories/rt- sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may- lead-to-cross-site-scripting: - 1. Use the snippet of CGI go code provided and run it: go run poc.go - 2. Run nginx with the config provided to forward the FastCGI calls to the go program. - 3. curl -i -o - http://localhost:8000 - 4. Observe the output. + 1. Use the snippet of CGI go code provided and run it: go run poc.go + 2. Run nginx with the config provided to forward the FastCGI calls to the go program. + 3. curl -i -o - http://localhost:8000 + 4. Observe the output. - In a affected go build the output will say: + In an affected golang build the output will say: Content-Type: text/html (...) while in the fixed version it should recognize the content type correctly as: Content-Type: image/png [Where problems could occur] - * It may affect deployments where go apps are used as CGI scripts - if + * It may affect deployments where go apps are used as CGI scripts - if the setup was incorrectly relying on hard-coded content type it may require fixing it. [Other Info] - - * The fix is present in golang-1.15 for hirsute and groovy. + + * The fix is present in golang-1.15 for hirsute and groovy.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1914372 Title: Ubuntu packages affected by CVE-2020-24553 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
