[erlang-bugs] XSS in inets
Michael Santos
michael.santos@REDACTED
Tue May 12 03:11:14 CEST 2009
The inets httpd server does not perform output encoding on user input.
$ nc localhost 8080
GET /<b>blah</b> HTTP/1.0
HTTP/1.0 404 Object Not Found
Server: inets/5.0.13
Date: Tue, 12 May 2009 00:57:16 GMT
Content-Type: text/html
Content-Length: 206
<HTML>
<HEAD>
<TITLE>Object Not Found</TITLE>
</HEAD>
<BODY>
<H1>Object Not Found</H1>
The requested URL /<b>blah</b> was not found on this server.
</BODY>
</HTML>
The supplied markup in the entity body may be interpreted by the
browser, with the possibility of XSS, phishing, etc.
Fix:
For the error page, maybe return "text/plain". A proper fix is to perform
HTML or URI encoding on any user supplied input that is subsequently
outputted.
More information about the erlang-bugs
mailing list