tietang / javamelody

Automatically exported from code.google.com/p/javamelody
0 stars 1 forks source link

XSS through X-Forwarded-For header spoofing #346

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
It is possible to inject an XSS payload via a "X-Forwarded-For" manipulated 
header that will be unescaped rendered as the remote address in the sessions 
report page.

IMO the bug is in the MonitoringFilter.putUserInfoInSession() method, because 
of the "X-Forwarded-For" header should be handled as untrusted input data:

final String forwardedFor = httpRequest.getHeader("X-Forwarded-For");
final String remoteAddr;            
if (forwardedFor == null) {                                                     
                            remoteAddr = httpRequest.getRemoteAddr();           

} else {                      
  remoteAddr = httpRequest.getRemoteAddr() + " forwarded for " + forwardedFor;                                                 
}
session.setAttribute(SessionInformations.SESSION_REMOTE_ADDR, remoteAddr);

Original issue reported on code.google.com by rafael.l...@osoco.es on 26 Sep 2013 at 4:48

GoogleCodeExporter commented 9 years ago
First, I acknowledge the issue.

I think that the fix should be to have an escaped rendering.

I will fix that shortly.
Many thanks for the report.

Original comment by evernat@free.fr on 26 Sep 2013 at 10:01

GoogleCodeExporter commented 9 years ago
It is now fixed.
It's committed in trunk (revision 3515) and it's ready for the next release 
(1.47).

If you need it, I have made a new build including the fix and it's available 
for your webapp at:
https://javamelody.googlecode.com/files/javamelody-20130927.jar

Note that the release 1.47, including that fix, is supposed to be released in 
just a few days from now.

Original comment by evernat@free.fr on 26 Sep 2013 at 10:22

GoogleCodeExporter commented 9 years ago
And the new build of the plugin for JIRA, Confluence and Bamboo is available at:
https://javamelody.googlecode.com/files/jira-javamelody-20130927.jar

Original comment by evernat@free.fr on 26 Sep 2013 at 10:33

GoogleCodeExporter commented 9 years ago
Thank you for the fast fix.

I requestes a CVE ID for the issue. We can refer to it as CVE-2013-4378.

Rafa

Original comment by rafael.l...@osoco.es on 27 Sep 2013 at 8:31

GoogleCodeExporter commented 9 years ago
CVE is available at
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4378

Original comment by evernat@free.fr on 2 Oct 2013 at 7:03