SS-2015-021: Hash rewrite URL filtering

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

Severity:: Medium (?)
Identifier:: SS-2015-021
Versions Affected:: 3.1.15 and below, 3.2.0
Versions Fixed:: 3.1.16, 3.2.1
Release Date:: 2015-11-16

When SSViewer rewrites has links, it takes the whole URL after the base and prepends it to the hash. So for http://example.com/foo, links like "#" become "/foo#". This prevents them being interpreted as relative to the base tag (i.e. as "http://example.com/#")

However this URL isn't well filtered, so a URL like http://example.com//evil.com will have it's hash links be rewritten to be "//evil.com#"

This fix has been resolved by pre-filtering $_SERVER['REQUEST_URI'] to clean leading double-slashes which would otherwise denote such urls as protocol-relative links.

Common Vulnerability Scoring System (CVSS) Information