[jira] [Commented] (GEODE-10411) XSS vulnerabiltiy in Pulse data browser

["Joris Melchior (Jira)" <ji...@apache.org>]

    [ https://issues.apache.org/jira/browse/GEODE-10411?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17585038#comment-17585038 ] 

Joris Melchior commented on GEODE-10411:
----------------------------------------

Fix and PR submitted for develop branch. Will back-port once the fix is merged into develop.

> XSS vulnerabiltiy in Pulse data browser
> ---------------------------------------
>
>                 Key: GEODE-10411
>                 URL: https://issues.apache.org/jira/browse/GEODE-10411
>             Project: Geode
>          Issue Type: Bug
>          Components: pulse
>    Affects Versions: 1.12.9, 1.12.10, 1.14.4, 1.14.5, 1.15.0, 1.15.1, 1.16.0
>            Reporter: Joris Melchior
>            Assignee: Joris Melchior
>            Priority: Major
>              Labels: needsTriage, pull-request-available
>
> # Description:
> Stored XSS via data injection into Geode database, the injected
> payload eventually gets executed on Pulse web application when the
> admin querying data from Geode.
> # PoC:
> Step 1: With Geode up and running, run gfsh command to get into
> interactive mode:
>    shell$ gfsh
> Step 2: In gfsh console, execute the following command to insert a
> data entry into regionA (assume that regionA is created before). Note
> that the value of this data entry contains JavaScript code:
>    gfsh> put --region=regionA --key="test" --value="<script>alert(1)</script>"
> Step 3: Open browser to query editor of Pulse web application at
> https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2F192.168.93.153%3A7070%2Fpulse%2FdataBrowser.html&amp;data=05%7C01%7Cbakera%40vmware.com%7Cc06e6de8d92c4519303708da54fa7d03%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637915732081233095%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=ykaOkxe1hlaE7xl8XQNgBQz2%2Ful1QPxrUChoBkuaeyY%3D&amp;reserved=0 (assume that already
> logged in as admin), execute the following query:
>     SELECT * FROM /regionA
> Step 4: Data from regionA will be retrieved, the XSS payload
> eventually get executed
> # Why this is an issue?
> Developer maybe saves user-controlled data to Geode database, users
> maybe submit data via an arbitrary client application (for example, a
> web application), the use of gfsh console just simplifies the PoC.
> # IMPACT:
> Exploiting this XSS vulnerability, an attacker can steal the admin's
> session cookie, therefore take over the admin account.
> # CVSS: 7.6 HIGH
> (https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.first.org%2Fcvss%2Fcalculator%2F3.0%23CVSS%3A3.0%2FAV%3AN%2FAC%3AL%2FPR%3AN%2FUI%3AR%2FS%3AU%2FC%3AH%2FI%3AL%2FA%3AL&amp;data=05%7C01%7Cbakera%40vmware.com%7Cc06e6de8d92c4519303708da54fa7d03%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637915732081233095%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=W5dDA8kMdT1IVeUVX6mhWHhZ2HnAZbXErEB%2F0Tjs5hg%3D&amp;reserved=0 )
> (re-calculate if not correct)
> # Fix:
> The Pulse web application must URL encode data retrieved from Geode database.
> # Credit:
> The issue is found by Nguyen Thai Hung (@nth347), Viettel Cyber Security.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)