]> granicus.if.org Git - transmission/commitdiff
Tracker error XSS in inspector (web client)
authorMike Gelfand <mikedld@mikedld.com>
Thu, 22 Feb 2018 22:27:31 +0000 (01:27 +0300)
committerMike Gelfand <mikedld@mikedld.com>
Tue, 17 Apr 2018 10:25:49 +0000 (13:25 +0300)
Tracker error messages are inadequately output encoded when rendered by the
tracker information page inside the WebUI, allowing a malicious tracker to
inject an XSS payload into the page. Esploiting this issue allows an
attacker to supply arbitrary client-side code that will ultimately be
rendered and executed within the end user's web browser.

Found by Rory McNamara (Gotham Digital Science). CVE pending.

web/javascript/inspector.js

index 19ea36aafbaa2de61bf61007e632c34cc5282d34..917334dd3e86bb2ad303f14056419f200acc0225 100644 (file)
@@ -742,9 +742,9 @@ function Inspector(controller) {
                                html.push('<li class="inspector_tracker_entry ', parity, '"><div class="tracker_host" title="', sanitizeText(tracker.announce), '">',
                                          sanitizeText(tracker.host || tracker.announce), '</div>',
                                          '<div class="tracker_activity">',
-                                         '<div>', lastAnnounceStatusHash['label'], ': ', lastAnnounceStatusHash['value'], '</div>',
+                                         '<div>', lastAnnounceStatusHash['label'], ': ', sanitizeText(lastAnnounceStatusHash['value']), '</div>',
                                          '<div>', announceState, '</div>',
-                                         '<div>', lastScrapeStatusHash['label'], ': ', lastScrapeStatusHash['value'], '</div>',
+                                         '<div>', lastScrapeStatusHash['label'], ': ', sanitizeText(lastScrapeStatusHash['value']), '</div>',
                                          '</div><table class="tracker_stats">',
                                          '<tr><th>Seeders:</th><td>', (tracker.seederCount > -1 ? tracker.seederCount : na), '</td></tr>',
                                          '<tr><th>Leechers:</th><td>', (tracker.leecherCount > -1 ? tracker.leecherCount : na), '</td></tr>',