Impact
The default landing page contained HTML to display a sample curl command which is made visible if the full landing page bundle could not be fetched from Apollo's CDN. The server's URL is directly interpolated into this command inside the browser from window.location.href. On some older browsers such as IE11, this value is not URI-encoded. On such browsers, opening a malicious URL pointing at an Apollo Router could cause execution of attacker-controlled JavaScript.
This only affects Apollo Routers where the landing page has not been disabled. This issue was introduced in v0.1.0-alpha.7 when the landing page was added.
Patches
To avoid this, the sample curl command has been removed in release 0.15.1.
Workarounds
Disabling the landing page in the Apollo router configuration prevents displaying the example:
server:
landing_page: false
See also
A similar issue exists in the default landing page of Apollo Server 3.0. See the corresponding Apollo Server security advisory.
For more information
If you have any questions or comments about this advisory:
Credits
This issue was discovered by Adrian Denkiewicz of Doyensec.
adenkiewicz Analyst
Impact
The default landing page contained HTML to display a sample
curlcommand which is made visible if the full landing page bundle could not be fetched from Apollo's CDN. The server's URL is directly interpolated into this command inside the browser fromwindow.location.href. On some older browsers such as IE11, this value is not URI-encoded. On such browsers, opening a malicious URL pointing at an Apollo Router could cause execution of attacker-controlled JavaScript.This only affects Apollo Routers where the landing page has not been disabled. This issue was introduced in v0.1.0-alpha.7 when the landing page was added.
Patches
To avoid this, the sample
curlcommand has been removed in release 0.15.1.Workarounds
Disabling the landing page in the Apollo router configuration prevents displaying the example:
See also
A similar issue exists in the default landing page of Apollo Server 3.0. See the corresponding Apollo Server security advisory.
For more information
If you have any questions or comments about this advisory:
Credits
This issue was discovered by Adrian Denkiewicz of Doyensec.