[Rabbit-dev] cross-site-scripting vulnerabiltiy

Jeff Adamson jwa at urbancode.com
Mon Mar 1 22:21:43 CET 2010 

I did not see any mechanisms within the rabbIT codebase for escape html
strings.  I created the following patch which makes use of the Apache
commons-lang 2.x project to perform the escaping.

I do hope I am not being presumptuous nor intend any insult.  I just needed
the change fixed ASAP for a security audit and so I needed to do it myself
locally.  I am grateful for your tool and that it is open source, enabling
me to do this when needed.  I am just supplying the patch as an FYI. There
are certainly no hard feelings or anything if you decide not to use it,
especially considering it would introduce a new dependency on a third-party
library.

I tried to keep the patch to a minimum, but I feel i should also mention a
couple other observations:
1) most usages of StringBuilder within StandardResponseHeaders appear to be
superfluous e.g. The #append method is only being called once, all the
string concatenation work is actually being done by literal concatenation
within the argument and not by the StringBuilder instance.
2) most of the error pages are not declaring any sort of doc-type and seam
to be using some sort of html 3.x structure instead of any html4, html5, or
xhtml format.

-Jeff

On Sat, Feb 27, 2010 at 4:09 AM, <robo at khelekore.org> wrote:

> Hello!
>
> > Couple quick questions:
> > 1) is there a public (readonly) source repository for this or is it just
> > available as individual tar.gz downloads
>
> Currently there is none, but I can probably set up a git-mirror of
> my working tree. It will take some days though, since I am currently
> traveling.
>
> > 2) src/rabbit/proxy/StandardResponseHeaders:148 needs to escape/encode
> the
> > url.
>
> You are probably correct in that and it ought to be easy to fix.
> That code actually comes from the rabbit/2.x if I remember correctly.
>
> I will take a look at it later.
>
> /robo
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://khelekore.org/pipermail/rabbit-dev/attachments/20100301/26f0881d/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: xss.patch
Type: text/x-patch
Size: 3098 bytes
Desc: not available
URL: <http://khelekore.org/pipermail/rabbit-dev/attachments/20100301/26f0881d/attachment-0003.bin>

More information about the Rabbit-dev mailing list