Go: net/http/cgi,net/http/fcgi: Cross-Site Scripting (XSS) when Content-Type is not specified

Created on 20 Aug 2020 · 6Comments · Source: golang/go

When a Handler does not explicitly set the Content-Type header, both CGI implementations default to “text/html”.

If an attacker can make a server generate content under their control (e.g. a JSON containing user data or an uploaded image file) this might be mistakenly returned by the server as “text/html”. If a victim visits such a page they could get the attacker's code executed in the context of the server origin.

After the fix, the Content-Type header is set based on the contents of the first Write using http.DetectContentType, which is consistent with the behavior of the net/http package.

Although this protects some applications that validate the contents of uploaded files, not setting the Content-Type header explicitly on any attacker-controlled file is unsafe and should be avoided.

Thanks to RedTeam Pentesting GmbH for reporting this issue, you can access their advisory at the following address once it's published: https://www.redteam-pentesting.de/advisories/rt-sa-2020-004

This issue is CVE-2020-24553.

NeedsFix Security release-blocker

Source

empijei

🎉17 👀12 😕3

Most helpful comment

Our advisory has been published: https://www.redteam-pentesting.de/advisories/rt-sa-2020-004

rtpt-alexanderneumann on 2 Sep 2020

👍2

All 6 comments

Change https://golang.org/cl/252179 mentions this issue: net/http/cgi,net/http/fcgi: add Content-Type detection

gopherbot on 1 Sep 2020

Our advisory has been published: https://www.redteam-pentesting.de/advisories/rt-sa-2020-004

rtpt-alexanderneumann on 2 Sep 2020

👍2

/cc @FiloSottile @katiehockman @empijei

toothrot on 10 Sep 2020

Huh. This should have been closed by https://go-review.googlesource.com/c/go/+/252179, which includes Fixes #40928. Apparently our tooling didn't pick it up for some reason.

In any case, this has been resolved.