Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-37724: WO Adaptor URL Sanitization Fixes by NotsoanoNimus · Pull Request #992 · wocommunity/wonder

Project Wonder WebObjects 1.0 through 5.4.3 is vulnerable to Arbitrary HTTP Header injection and URL- or Header-based XSS reflection in all web-server adaptor interfaces.

CVE
#xss#vulnerability#web#apache

Added fix-ups to the Utilities/Adaptors subfolders specifically to address a vulnerability in parsing, whereby an adversary can directly inject their own headers and content into the web requests going to the application (WO) servers behind the adaptor.

The new code returns a 404 on any encounter of a 0x0D (carriage-return) or a 0x0A (line-feed) character in the adaptor translate functions, and the defined forbidden character set is written in such a way as to be expandable later as necessary. This behavior of returning a 404 error mimics Apache’s mitigation of the use of %2f in request URLs.

IMPORTANTLY: This URL cleanliness will not affect content within query strings usually, since those characters are not typically expanded by webserver software before reaching the adaptor interface.

Tested and operating in an active production scenario, filtering arbitrary HTTP header injection or URL-based reflection but maintaining normal operation as expected. The most recent commit addresses enabling the protection by default but provides the option to regress to the previous behavior in situations and deployments where it may be considered safe or necessary.

For more information about the problem being fixed, I will post a separate link to my blog for interested users.

Related news

GHSA-xv7r-9vq4-9wrq: Project Wonder WebObjects vulnerable to Arbitrary HTTP Header Injection and Cross-site Scripting

Project Wonder WebObjects 1.0 through 5.4.3 is vulnerable to Arbitrary HTTP Header injection and URL- or Header-based XSS reflection in all web-server adaptor interfaces. A patch for this issue is available at commit number b0d2d74f13203268ea254b02552600850f28014b.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907