Bug 56532 - Improper Neutralization of Input in mod_proxy_balancer.c (XSS)
Summary: Improper Neutralization of Input in mod_proxy_balancer.c (XSS)
Status: RESOLVED FIXED
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy_balancer (show other bugs)
Version: 2.4.9
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: FixedInTrunk, PatchAvailable
Depends on:
Blocks:
 
Reported: 2014-05-15 20:19 UTC by Max
Modified: 2014-06-17 16:47 UTC (History)
1 user (show)


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Max 2014-05-15 20:19:41 UTC 
Incomplete fix CVE-2012-4558 has been localized in revision 1413732

mod_proxy_balancer.c

----------
        if (wsel && bsel) {
            ap_rputs("<h3>Edit worker settings for ", r);
            ap_rvputs(r, (*wsel->s->uds_path?"<i>":""), ap_proxy_worker_name(r->pool, wsel), (*wsel->s->uds_path?"</i>":""), "</h3>\n", NULL);
            ap_rputs("<form method=\"POST\" enctype=\"application/x-www-form-urlencoded\" action=\"", r);
            ap_rvputs(r, ap_escape_uri(r->pool, action), "\">\n", NULL);
----------

ap_escape_uri() has been added to variable 'action' but in code there is one another using of 'action'

----------
        } else if (bsel) {
            const apr_array_header_t *provs;
            const ap_list_provider_names_t *pname;
            int i;
            ap_rputs("<h3>Edit balancer settings for ", r);
            ap_rvputs(r, bsel->s->name, "</h3>\n", NULL);
            ap_rputs("<form method='POST' enctype='application/x-www-form-urlencoded' action='", r);
            ap_rvputs(r, action, "'>\n", NULL);
----------

Sholud be this patched?

BR,
Maksymilian
cifrex.org
Comment 1 Ruediger Pluem 2014-05-16 18:57:00 UTC 
Thanks for the pointer. Fixed in r1595305 in trunk.
Comment 2 Florian Weimer 2014-06-17 07:04:15 UTC 
Does this new fix have any security impact?
Comment 3 Ruediger Pluem 2014-06-17 16:47:35 UTC 
Backported to 2.4.x as r1603141