Opened 3 years ago

Last modified 3 years ago

#23574 accepted defect

Don't allow text injection in our 404 page

Reported by: gk Owned by: hiro
Priority: Medium Milestone:
Component: Internal Services/Tor Sysadmin Team Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


We got a report on HackerOne by sumitthehacker:

i want to report a text injection and a misconfiguration of the 404 page

the bug exists at :

as you can see attacker text is included
"It has been changed by a new one so go to the new one since this one was not found on this server."

Child Tickets

Change History (5)

comment:1 Changed 3 years ago by weasel

Resolution: invalid
Status: newclosed

I don't think this is an issue whatsoever, but feel free to bring it up with the web people to see if they care.

comment:2 Changed 3 years ago by hiro

I think the importat point is that no code can be executed.

You can test by passing javascript to the url and it doesn't do anything. Although, if we really care we can have the message in the 404 page just to say "The URL you typed was not found" or something along those lines, without having to repeat the URL.

comment:3 Changed 3 years ago by hiro

Resolution: invalid
Status: closedreopened

comment:4 Changed 3 years ago by hiro

Owner: changed from tpa to hiro
Status: reopenedassigned

comment:5 Changed 3 years ago by hiro

Status: assignedaccepted
Note: See TracTickets for help on using tickets.