[HDDS-2111] XSS fragments can be injected to the S3g landing page - ASF JIRA

XML

Word

Printable

JSON

Target Version/s:

0.4.1
Flags:

Patch, Important
External issue URL:
https://github.com/apache/hadoop/blob/trunk/hadoop-ozone/s3gateway/src/main/resources/webapps/static/index.html

VULNERABILITY DETAILS
There is a way to bypass anti-XSS filter for DOM XSS exploiting a "window.location.href".

Considering a typical URL:

scheme://domain:port/path?query_string#fragment_id

Browsers encode correctly both "path" and "query_string", but not the "fragment_id".

So if used "fragment_id" the vector is also not logged on Web Server.

VERSION
Chrome Version: 10.0.648.134 (Official Build 77917) beta

REPRODUCTION CASE
This is an index.html page:

aws s3api --endpoint <script>document.write(window.location.href.replace("static/", ""))</script> create-bucket --bucket=wordcount</pre>

The attack vector is:
index.html?#<script>alert('XSS');</script>

PoC:
For your convenience, a minimalist PoC is located on:
http://security.onofri.org/xss_location.html?#<script>alert('XSS');</script>

DOM Based Cross-Site Scripting or XSS of the Third Kind - http://www.webappsec.org/projects/articles/071105.shtml

reference:-

links to

GitHub Pull Request #1447

Estimated:

Not Specified

Remaining:

Logged:

50m