search

opentechinstitute / commotion-router

The build system for the OpenWRT-based Commotion firmware.
https://commotionwireless.net
GNU General Public License v3.0
121 stars 43 forks source link

XSS in LuCi 404 ‘No page is registered’ error response (Misc) #20

Open areynold opened 11 years ago

areynold commented 11 years ago

LuCi 404 error page (No page is registered) includes path of the request without escaping it. The 404 response is sent with a Content-Type: text/plain header and no X-Content-Type-Options: nosniff header is present. It’s possible to abuse that in browsers doing MIME sniffing (MSIE < 9) to execute arbitrary script in context of target application.

However, successful exploitation requires victim to use an outdated browser, as well as disable friendly HTTP error messages (which is a default setting), therefore the impact of this vulnerability is limited. Nevertheless X-Content-Type-Options: nosniff HTTP response header should be used on this endpoint.

Originally reported as WRT-01-006

areynold commented 11 years ago

Upstream Issue: http://luci.subsignal.org/trac/browser/luci/branches/luci-0.11/libs/web/luasrc/dispatcher.lua lines 113-126. Also affects 500 response, lines 131-145.

Probable change: Add luci.http.header("X-Content-Type-Options", "nosniff")

Might also apply to line 840+ (cbi-self).