[
https://issues.apache.org/jira/browse/GEODE-10411?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Owen Nichols closed GEODE-10411.
--------------------------------
> XSS vulnerabiltiy in Pulse data browser
> ---------------------------------------
>
> Key: GEODE-10411
> URL: https://issues.apache.org/jira/browse/GEODE-10411
> Project: Geode
> Issue Type: Bug
> Components: pulse
> Affects Versions: 1.12.9, 1.12.10, 1.13.8, 1.13.9, 1.14.4, 1.14.5, 1.15.0,
> 1.15.1, 1.16.0
> Reporter: Joris Melchior
> Assignee: Joris Melchior
> Priority: Major
> Labels: pull-request-available
> Fix For: 1.12.10, 1.13.9, 1.14.5, 1.15.1, 1.16.0
>
>
> # Description:
> Stored XSS via data injection into Geode database, the injected
> payload eventually gets executed on Pulse web application when the
> admin querying data from Geode.
> # PoC:
> Step 1: With Geode up and running, run gfsh command to get into
> interactive mode:
> shell$ gfsh
> Step 2: In gfsh console, execute the following command to insert a
> data entry into regionA (assume that regionA is created before). Note
> that the value of this data entry contains JavaScript code:
> gfsh> put --region=regionA --key="test" --value="<script>alert(1)</script>"
> Step 3: Open browser to query editor of Pulse web application at
> https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2F192.168.93.153%3A7070%2Fpulse%2FdataBrowser.html&data=05%7C01%7Cbakera%40vmware.com%7Cc06e6de8d92c4519303708da54fa7d03%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637915732081233095%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ykaOkxe1hlaE7xl8XQNgBQz2%2Ful1QPxrUChoBkuaeyY%3D&reserved=0
> (assume that already
> logged in as admin), execute the following query:
> SELECT * FROM /regionA
> Step 4: Data from regionA will be retrieved, the XSS payload
> eventually get executed
> # Why this is an issue?
> Developer maybe saves user-controlled data to Geode database, users
> maybe submit data via an arbitrary client application (for example, a
> web application), the use of gfsh console just simplifies the PoC.
> # IMPACT:
> Exploiting this XSS vulnerability, an attacker can steal the admin's
> session cookie, therefore take over the admin account.
> # CVSS: 7.6 HIGH
> (https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.first.org%2Fcvss%2Fcalculator%2F3.0%23CVSS%3A3.0%2FAV%3AN%2FAC%3AL%2FPR%3AN%2FUI%3AR%2FS%3AU%2FC%3AH%2FI%3AL%2FA%3AL&data=05%7C01%7Cbakera%40vmware.com%7Cc06e6de8d92c4519303708da54fa7d03%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637915732081233095%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=W5dDA8kMdT1IVeUVX6mhWHhZ2HnAZbXErEB%2F0Tjs5hg%3D&reserved=0
> )
> (re-calculate if not correct)
> # Fix:
> The Pulse web application must URL encode data retrieved from Geode database.
> # Credit:
> The issue is found by Nguyen Thai Hung (@nth347), Viettel Cyber Security.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
