Reflective Cross-Site Scripting in BVNetwork's 404 error handler
Multiple cross site scripting vectors were found in BVNetwork's 404handler. BVNetwork is a 404-error handler page designed for and recommended by EPiServer framework. EPiServer framework is designed to be used as an ecommerce and digital marketing CMS. This product according to EPI’s nugget server has over 35k downloads: BV Network 404 handler on nuget.episerver.com This vulnerability allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.
This issue was successfully tested on version 404handler 10.1.0
BNetwork's 404 error handler page echo back any URL requested and any referer passed to it without sanitizing the input. This allows an attacker to request an URL that contains script to be echoed back into the HTML and execute script. The vulnerability allows an attacker to perform a wide variety of actions, such as stealing Administrators' session tokens, or performing arbitrary actions on their behalf.
This issue exists in in the files NotFoundPageUtil.cs and NotFound.aspx. The NotFoundPageUtil.cs will set the UrlNotFound and Referer variables for the NotFound.aspx file.
Code snipit from NotFoundPageUtil.cs setting UrlNotFound and Referer.
/// Gets the URL that was not found.
/// <param name="request">The request.</param>
public static string GetUrlNotFound(HttpRequestBase request)
string urlNotFound = null;
string query = request.ServerVariables["QUERY_STRING"];
if ((query != null) && query.StartsWith("4"))
string url = query.Split(';');
urlNotFound = HttpUtility.UrlDecode(url);
if (urlNotFound == null)
string parts = query.Split('=');
urlNotFound = request.Url.GetLeftPart(UriPartial.Authority) + HttpUtility.UrlDecode(parts);
/// The refering url
public static string GetReferer(HttpRequestBase request)
string referer = request.ServerVariables["HTTP_REFERER"];
if (referer != null)
// Strip away host name in front, if local redirect
string hostUrl = SiteDefinition.Current.SiteUrl.ToString();
referer = referer.Remove(0, hostUrl.Length);
referer = ""; // Can't have null
Code snippet from NotFound.aspx using the variables set above, with no sanitization before output.
<%= UrlNotFound %>
<%= Referer.Length > 0 ? Content.CameFrom : "" %>
<%= Referer.Length > 0 ? Referer : "" %>
This allows us to send the following request:
GET /foo?q=foo%3Cscript%3Ealert(%27xss%27)%3C%2fscript%3E HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Firefox/52.0
Below is a screenshot of the XSS in action: