[Bug 1914372] Re: Ubuntu packages affected by CVE-2020-24553
Dariusz Gadomski
1914372 at bugs.launchpad.net
Wed Feb 3 10:26:38 UTC 2021
** Description changed:
[Impact]
- Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html
+ Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html
is the default for CGI/FCGI handlers that lack a Content-Type header.
[Test Case]
- Described as POC at https://www.redteam-pentesting.de/en/advisories/rt-
+ Described as POC at https://www.redteam-pentesting.de/en/advisories/rt-
sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-transport-may-
lead-to-cross-site-scripting:
- 1. Use the snippet of CGI go code provided and run it: go run poc.go
- 2. Run nginx with the config provided to forward the FastCGI calls to the go program.
- 3. curl -i -o - http://localhost:8000
- 4. Observe the output.
+ 1. Use the snippet of CGI go code provided and run it: go run poc.go
+ 2. Run nginx with the config provided to forward the FastCGI calls to the go program.
+ 3. curl -i -o - http://localhost:8000
+ 4. Observe the output.
- In a affected go build the output will say:
+ In an affected golang build the output will say:
Content-Type: text/html (...)
while in the fixed version it should recognize the content type correctly as:
Content-Type: image/png
[Where problems could occur]
- * It may affect deployments where go apps are used as CGI scripts - if
+ * It may affect deployments where go apps are used as CGI scripts - if
the setup was incorrectly relying on hard-coded content type it may
require fixing it.
[Other Info]
-
- * The fix is present in golang-1.15 for hirsute and groovy.
+
+ * The fix is present in golang-1.15 for hirsute and groovy.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to golang-1.10 in Ubuntu.
https://bugs.launchpad.net/bugs/1914372
Title:
Ubuntu packages affected by CVE-2020-24553
Status in golang-1.10 package in Ubuntu:
New
Status in golang-1.14 package in Ubuntu:
New
Status in golang-1.10 source package in Xenial:
New
Status in golang-1.14 source package in Xenial:
Invalid
Status in golang-1.10 source package in Bionic:
New
Status in golang-1.14 source package in Bionic:
Invalid
Status in golang-1.14 source package in Focal:
New
Status in golang-1.14 source package in Groovy:
New
Status in golang-1.14 source package in Hirsute:
New
Bug description:
[Impact]
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because
text/html is the default for CGI/FCGI handlers that lack a Content-
Type header.
[Test Case]
Described as POC at https://www.redteam-pentesting.de/en/advisories
/rt-sa-2020-004/-inconsistent-behavior-of-gos-cgi-and-fastcgi-
transport-may-lead-to-cross-site-scripting:
1. Use the snippet of CGI go code provided and run it: go run poc.go
2. Run nginx with the config provided to forward the FastCGI calls to the go program.
3. curl -i -o - http://localhost:8000
4. Observe the output.
In an affected golang build the output will say:
Content-Type: text/html (...)
while in the fixed version it should recognize the content type correctly as:
Content-Type: image/png
[Where problems could occur]
* It may affect deployments where go apps are used as CGI scripts -
if the setup was incorrectly relying on hard-coded content type it may
require fixing it.
[Other Info]
* The fix is present in golang-1.15 for hirsute and groovy.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/golang-1.10/+bug/1914372/+subscriptions
More information about the foundations-bugs
mailing list