[erlang-bugs] XSS in inets

Michael Santos michael.santos@REDACTED
Tue May 12 03:11:14 CEST 2009


The inets httpd server does not perform output encoding on user input.

$ nc localhost 8080
GET /<b>blah</b> HTTP/1.0

HTTP/1.0 404 Object Not Found
Server: inets/5.0.13
Date: Tue, 12 May 2009 00:57:16 GMT
Content-Type: text/html
Content-Length: 206

<HTML> 
       <HEAD>
           <TITLE>Object Not Found</TITLE>
       </HEAD>
       <BODY>
       <H1>Object Not Found</H1>
The requested URL /<b>blah</b> was not found on this server.
</BODY>
      </HTML>

The supplied markup in the entity body may be interpreted by the
browser, with the possibility of XSS, phishing, etc.

Fix:

For the error page, maybe return "text/plain". A proper fix is to perform
HTML or URI encoding on any user supplied input that is subsequently
outputted.




More information about the erlang-bugs mailing list