Opened 7 months ago

Last modified 7 months ago

#23574 accepted defect

Don't allow text injection in our 404 page

Reported by: gk Owned by: hiro
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

We got a report on HackerOne by sumitthehacker:

i want to report a text injection and a misconfiguration of the 404 page

the bug exists at :

https://www.torproject.org/test/%2f../It%20has%20been%20changed%20by%20a%20new%20one%20https://www.Attacker.com%20so%20go%20to%20the%20new%20one%20since%20this%20one

as you can see attacker text is included
"It has been changed by a new one https://www.attacker.com so go to the new one since this one was not found on this server."

Child Tickets

Change History (5)

comment:1 Changed 7 months ago by weasel

Resolution: invalid
Status: newclosed

I don't think this is an issue whatsoever, but feel free to bring it up with the web people to see if they care.

comment:2 Changed 7 months ago by hiro

I think the importat point is that no code can be executed.

You can test by passing javascript to the url and it doesn't do anything. Although, if we really care we can have the message in the 404 page just to say "The URL you typed was not found" or something along those lines, without having to repeat the URL.

comment:3 Changed 7 months ago by hiro

Resolution: invalid
Status: closedreopened

comment:4 Changed 7 months ago by hiro

Owner: changed from tpa to hiro
Status: reopenedassigned

comment:5 Changed 7 months ago by hiro

Status: assignedaccepted
Note: See TracTickets for help on using tickets.