XSS in Java StackTraces, REST error message

Description

When pulling the requested file (From the URL) into the Java StackTrace, the output is not sanitized. This results in a Cross Site Scripting vulnerability in the Java StackTrace.

lucee.runtime.exp.ExpressionException: file or directory /var/lib/lucee/temp///<img src=a onerror=alert(1)>mc43u not exist at ...

It appears to be properly sanitized under the Message field.

Environment

None

Activity

Show:
Michael Offner
April 6, 2018, 2:48 PM

i'm fine approving the situation, but i'm not sure what the best approach is

Zac Spitzer
April 6, 2018, 2:58 PM

escape it when rendering to a browser, leave it it plain text in the logs, auf deutsch gesagt pech gehabt!

Zac Spitzer
May 26, 2020, 1:26 PM

this was just raised again on slack, the default configuration for lucee

http://localhost:8888/rest/<script>alert(1)</script>

Zac Spitzer
May 26, 2020, 1:36 PM
Edited

should the error templates be using htmlEditFormat() or encodeForHtml() ?

https://github.com/lucee/Lucee/blob/5.3/core/src/main/cfml/context/templates/error/error-neo.cfm#L50

but that sample rest xss isn’t using a template, it’s just writing directly to the response

https://github.com/lucee/Lucee/blob/5.3/core/src/main/java/lucee/runtime/rest/RestUtil.java#L66

would HttpServletResponse.sendError() be a better choice, it’s xss safe since 6.0.18 http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.18

Zac Spitzer
August 14, 2020, 2:36 PM

What about the REST XSS?

Fixed

Assignee

Michael Offner

Reporter

Jordan Potti

Priority

Major

Labels

Fix versions

None

Sprint

5.3.8 Sprint 3
Configure