CVE-2009-0417: Cross-site scripting vulnerability in handling of incoming URLs

[david]

According to  RFC 3986, several characters including certain HTML special chars are not allowed literally in URLs and need to be percent-encoded. However, some browsers (at least Microsoft Internet Explorer versions 6 and 7) violate this rule, and send URLs with improper encoding to the web server. As a consequence, CGI variables such as REQUEST_URI and QUERY_STRING contain potentially harmful characters that can lead to cross-site scripting attack vectors in HTML documents.

Agavi uses these variables to determine the request URL, among others, and also outputs this data without further modification in certain places:

• AgaviWebRouting::gen(null)
  • gen('routename') or gen(null, array('foo' => 'bar')) etc are not affected
• AgaviWebRequest::getRequestUri()
• AgaviWebRequest::getUrlPath()
• AgaviWebRequest::getUrlQuery()
• AgaviWebRequest::getUrl()

Using any of these methods in HTML output of applications running an affected version of Agavi may allow attackers to craft malicious URLs that they can use to inject code into the resulting HTML documents, e.g. by sending such a malicious URL to a person who then clicks the URL.

Affected versions:

• Agavi/0.11 up to and including Agavi/0.11.6-RC2
• Agavi/1.0 up to and including Agavi/1.0.0-beta7

Available fixes:

• Upgrade to Agavi/0.11.6 or Agavi/1.0.0-beta8
• Apply one of the attached patches to your copy of Agavi

Possible workarounds:

• Apply one of the attached patches to your copy of Agavi
• Use  Suhosin version  0.9.21 or later which  protects against this
• Wrap any occurences of calls to the methods above using PHP's htmlspecialchars() method if you're outputting them in your HTML
• Sanitize the affected $_SERVER values before calling AgaviContext::getInstance()
  • the attached patches should serve as an adequate HOWTO
  • be advised that in this case, other variables such as HTTP_X_REWRITE_URL or ORIG_PATH_INFO, may need the same treatment, depending on your server configuration

We'd like to thank Daniel Kubitza for advising us of this issue.

The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2009-0417 to this issue. This is a candidate for inclusion in the CVE list ( http://cve.mitre.org), which standardizes names for security problems.
You can view details on the vulnerability at the following URL:  http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0417

If you have questions about this vulnerability, please direct them to the users mailing list.

[david]

(In [3761]) Fix #1019/CVE-2009-0417: Cross-site scripting vulnerability in handling of incoming URLs

[david]

(In [3762]) fix comment, refs #1019

[david]

(In [3763]) merge [3761:3762/branches/0.11], refs #1019

[david]

(In [3765]) fixed register_long_arrays ini_get(), refs #1019

[david]

(In [3766]) merge [3765/branches/0.11], refs #1019

[david]

seems to break the routing in certain cases

[david]

(In [3767]) Fix #1019 w/o side effects: don't escape QUERY_STRING (not necessary for our purpose)

[david]

(In [3768]) merge [3767/branches/0.11], refs #1019

[david]

Hotfix for Agavi/0.11.5

[david]

Hotfix for Agavi/1.0.0-beta7

[david]

FYI, this is a  Type 1: Reflected XSS (or Non-Persistent)