Executive Summary

This vulnerability is a reflected Cross-Site Scripting (XSS) issue in the Rust web backend framework Salvo, specifically in versions prior to 0.88.1. The function list_html generates an HTML view of a folder and inserts the current request path directly into the HTML without proper sanitization. Because the request path is decoded and normalized but not safely escaped before being embedded in the HTML, an attacker can craft a malicious URL path that injects arbitrary JavaScript code into the page. This leads to reflected XSS, allowing script execution in the victim's browser when they visit the crafted URL. Exploitation requires the root path to have at least one subdirectory so that the directory listing page is returned instead of a 404 error. The issue was fixed in version 0.88.1. [1]

Useful 0 Not Useful 0

Impact Analysis

Successful exploitation of this vulnerability allows an attacker to execute arbitrary JavaScript in the victim's browser. This can lead to various attacks such as account takeover, theft of sensitive information, session hijacking, or other malicious actions depending on the site's Content Security Policy and other defenses. The vulnerability has a high severity with a CVSS score of 8.8, indicating significant impact on confidentiality, with some impact on integrity and availability as well. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending specially crafted HTTP requests with malicious payloads in the URL path to the Salvo server and observing if the response HTML reflects the unsanitized path, indicating reflected XSS. For example, you can use curl to request a URL with a script tag in the path under a directory that has subdirectories (to trigger the listing page). Example command: curl -i 'http://your-salvo-server/files/<script>alert(1)</script>/' and check if the response HTML contains the injected script tag unescaped. Additionally, using web vulnerability scanners that detect reflected XSS by injecting payloads into URL paths can help identify this issue. [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade the Salvo framework to version 0.88.1 or later, where this vulnerability has been patched. If upgrading is not immediately possible, restrict access to the affected endpoints or disable directory listing features that generate the vulnerable HTML view. Implementing Web Application Firewall (WAF) rules to block suspicious requests containing script tags in URL paths can also help reduce risk until the patch is applied. [1]

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows reflected Cross-Site Scripting (XSS) attacks, which can lead to arbitrary JavaScript execution in users' browsers. This can result in unauthorized access to sensitive information or user accounts, potentially violating data protection requirements under standards like GDPR or HIPAA. Exploitation could compromise confidentiality and integrity of data, thereby affecting compliance with these regulations. However, specific compliance impacts depend on the context of the deployed application and its data handling. [1]

Useful 0 Not Useful 0