You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Devaki (JIRA)" <ji...@apache.org> on 2016/01/22 18:03:40 UTC

[jira] [Created] (TS-4145) ATS 6.0.0 - Address cross-site scripting exploits in error messages

Devaki created TS-4145:
--------------------------

             Summary: ATS 6.0.0 - Address cross-site scripting exploits in error messages
                 Key: TS-4145
                 URL: https://issues.apache.org/jira/browse/TS-4145
             Project: Traffic Server
          Issue Type: Bug
          Components: Configuration, Parent Proxy
            Reporter: Devaki


Address potential cross-site scripting exploits in the following files:

1.)    Replace the variable psh with epsh in files:
proxy/config/body_factory/default/redirect#moved_temporarily
proxy/config/body_factory/default/redirect#moved_permanently

2.)    Variable cqh in proxy/config/body_factory/default/access#redirect_url should be replaced with ecqh. However the files appears unutilized in ATS6.0.0, hence remove from Makefile alltogether. 

Suggested patch:
diff -Nrup trafficserver-6.0.0/proxy/config/body_factory/default/Makefile.am trafficserver-6.0.0-1/proxy/config/body_factory/default/Makefile.am
--- trafficserver-6.0.0/proxy/config/body_factory/default/Makefile.am	2015-09-08 13:43:45.000000000 -0400
+++ trafficserver-6.0.0-1/proxy/config/body_factory/default/Makefile.am	2016-01-19 12:49:44.823719964 -0500
@@ -21,7 +21,6 @@ bodyfactorydir = $(pkgsysconfdir)/body_f
 dist_bodyfactory_DATA = \
   access\#denied \
   access\#proxy_auth_required \
-  access\#redirect_url \
   access\#ssl_forbidden \
   .body_factory_info \
   cache\#not_in_cache \
diff -Nrup trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_permanently trafficserver-6.0.0-1/proxy/config/body_factory/defau
lt/redirect#moved_permanently
--- trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_permanently	2015-09-08 13:43:45.000000000 -0400
+++ trafficserver-6.0.0-1/proxy/config/body_factory/default/redirect#moved_permanently	2016-01-19 12:50:47.669068203 -0500
@@ -8,7 +8,7 @@
 <HR>
 
 <FONT FACE="Helvetica,Arial"><B>
-Description: The document you requested has moved to a new location.  The new location is "%<{Location}psh>".
+Description: The document you requested has moved to a new location.  The new location is "%<{Location}epsh>".
 </B></FONT>
 <HR>
 </BODY>
diff -Nrup trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_temporarily trafficserver-6.0.0-1/proxy/config/body_factory/defau
lt/redirect#moved_temporarily
--- trafficserver-6.0.0/proxy/config/body_factory/default/redirect#moved_temporarily	2015-09-08 13:43:45.000000000 -0400
+++ trafficserver-6.0.0-1/proxy/config/body_factory/default/redirect#moved_temporarily	2016-01-19 12:50:33.548765337 -0500
@@ -8,7 +8,7 @@
 <HR>
 
 <FONT FACE="Helvetica,Arial"><B>
-Description: The document you requested has moved to a new location.  The new location is "%<{Location}psh>".
+Description: The document you requested has moved to a new location.  The new location is "%<{Location}epsh>".
 </B></FONT>
 <HR>
 </BODY>





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)