Описание
Silverstripe IE requests not properly behaving with rewritehashlinks
Non IE browsers don’t appear to be affected, but I haven’t tested a wide range of browsers to be sure
Requests that come through from IE do NOT appear to encode all entities in the URL string, meaning they are inserted into output content directly by SSViewer::process() when rewriting hashlinks, as it directly outputs $_SERVER[‘REQUEST_URI’]
Example IE8 request 127.0.0.1 - - [18/Jun/2014:14:13:42 +1000] “GET /site/cars/brands/toyota?one=1\”onmouseover=\”alert(‘things’);\” HTTP/1.1” 200
Example FF request 127.0.0.1 - - [18/Jun/2014:14:14:22 +1000] “GET /site/cars/brands/toyota?one=1%22onmouseover=%22alert(%27things%27);%22 HTTP/1.1” 200
This causes any hash anchor to have the JS code inserted into the page as-is.
Ссылки
- https://github.com/silverstripe/silverstripe-framework/commit/604c32871202064a4aa12c3b3fd58140231685e5
- https://github.com/silverstripe/silverstripe-framework/commit/bdef4fc7a548c7c243ff86f2db7c16f301a6f120
- https://github.com/FriendsOfPHP/security-advisories/blob/master/silverstripe/framework/SS-2014-015-1.yaml
- https://www.silverstripe.org/software/download/security-releases/ss-2014-015-ie-requests-not-properly-behaving-with-rewritehashlinks
Пакеты
silverstripe/framework
<= 3.0.12
3.0.13
silverstripe/framework
>= 3.1.0, <= 3.1.11
3.1.12
6.1 Medium
CVSS3
Дефекты
6.1 Medium
CVSS3