Details
-
Type:
Bug
-
Status:
Resolved
-
Priority:
Critical
-
Resolution: Fixed
-
Affects Version/s: 1.9.3
-
Fix Version/s: 1.9.5
-
Component/s: Zend_Controller
-
Labels:None
Description
When assembling URLs with $encode = true and using the default route, for instance a URL like controller/action/paramName/paramValue, the Zend_Controller_Router_Route_Module class urlencode's 'controller', 'action' and 'paramValue', but not 'paramName'.
This allows for an attack vector where HTML is injected into the 'paramName' segment of the URL. For example, the default route will parse the following URL:
/foo/bar/%22%3e%3cscript%3ealert(11639)%3c/script%3e
Into the following request:
'controller' => 'foo'
'action' => 'bar'
'"><script>alert(11639)<' => 'script>'
'module' => 'default'
If you then use the default route to construct a URL in the foo/bar view (with $reset = false), it will display this way:
/foo/bar/"><script>alert(11639)</script%3e
Looks like script injection to me. This particular instance doesn't do the alert because the closing script tag is malformed (properly encoded). The obvious workaround for this is to additionally escape the resulting URL with htmlspecialchars(), but that requirement didn't seem intuitive given that the URL was already supposed to be encoded.
So, is this a bug or expected behavior for some other reason?
Fixed in trunk and 1.9 release branch.