oxyno-zeta s3-proxy Reflected Cross-Site Scripting Vulnerability

A reflected cross-site scripting vulnerability has been identified in oxyno-zeta/s3-proxy, an AWS S3 proxy written in Go. This vulnerability is present in versions prior to v4.18.1. The issue arises in the folder-list template, where the Request.URL.Path variable is rendered into the HTML without proper sanitization. Attackers can exploit this by crafting malicious URLs that inject scripts into the web application. When these URLs are visited, the injected scripts are executed in the context of the user, potentially leading to session hijacking or phishing attacks on a trusted domain.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the user's context. This could lead to session hijacking or phishing attacks.

Reproduction

To reproduce this vulnerability, use the default template configuration. Navigate to a path that does not exist, such as '/path-not-found', which will confirm that the page is using the default folder-list template. Then, replace '/path-not-found' with a crafted URL that includes an image tag with an 'onerror' event, such as '/<img src="x" onerror="alert(1)">'. When this URL is accessed, the alert will demonstrate that the script has been executed, confirming the cross-site scripting vulnerability.

Remediation

Users are advised to upgrade to version 4.18.1 or later, where this vulnerability has been patched.