Do not pass Go. Do not collect $200

Apps built using Go could be vulnerable to XSS exploits

UPDATED Inconsistent behavior of Go’s CGI and FastCGI interfaces may lead to cross-site scripting (XSS) security vulnerabilities in apps built using older versions of the programming language.

Security researchers at German firm RedTeam Pentesting discovered that CGI and FastCGI implementations in the Go standard library behave differently from the HTTP server implementation when serving content.

“In contrast to the documented behavior, they [Go's CGI and FastCGI Transport] may return non-HTML data as HTML,” an advisory by RedTeam Pentesting explains.

“This may lead to cross-site scripting vulnerabilities, even if uploaded data has been validated during upload.”

RedTeam Pentesting disclosed the issue to the programmers behind Go, who responded by developing fixed versions (1.14.8, 1.15.1). The patched software was released on September 1.

App developers are advised to use these versions of the programming language in order to avoid risk from the vulnerability (CVE-2020-24553), which RedTeam Pentesting classifies as “medium” risk.

Content-type trickery

Go’s CGI and FastCGI interface is a legacy technology that’s been around since the early 1990s and used for executing applications.

As a result of the vulnerability, an application built using Go might be vulnerable to server-side XSS attacks.

Exploits are possible because a malicious user could upload an upload an image, such as a PNG file, and include a script block with JavaScript in the comment.

When this image is served later, it has the incorrect MIME type, which allows the JavaScript to be execute via the script tag, as it’s (incorrectly) treated as HTML.

Read more of the latest web hacking news

The vulnerability itself is easy to exploit and the impact can be severe.

“The consequences heavily depend on the web application,” RedTeam Pentesting told The Daily Swig.

“In the worst case, the attackers have full control of the user's session and can use the web application in the user's name.”

The researchers added that they are “aware of vulnerable applications in the wild”.

Bugs in the Go library resulted in a XSS vulnerability in Gitea, RedTeam PenTesting disclosed on Tuesday (September 8). Gitea is an open source package used by software developers to manage version control.

This story was updated on September 8 to report that developer tool Gitea was among the apps affected by the bug,

RECOMMENDED New HTTP request smuggling variants levied against modern web servers