[BUG] Self-XSS in "Absolute Time Range" #2746

takyoni · 2022-04-13T07:39:37Z

Describe the bug
It's possible to execute JS on application context by modifying the "Absolute Time Range"

To Reproduce
Access to a new dashboard in graphite-web instance (i.e. http://localhost/dashboard).
Use the "Absolute Time Range"
Write in Start Date:
<img src=1 onerror=alert()>
Write in EndDate:
<img src=1 onerror=alert()>
Hover the mouse over these fields
Expected behavior
This can be solved by removing or ignoring requests containing the characters "<" ">" and/or other escaping/scripting characters. -> Sanitize the value before using it.

Screenshots

Environment (please complete the following information):

OS flavor: Debian 11
Graphite-web version 1.1.8
Setup type: docker

The text was updated successfully, but these errors were encountered:

deniszh · 2022-11-06T18:18:27Z

Looks like not fixed in #2785 :(
/cc @msaf1980

msaf1980 · 2022-11-07T07:41:35Z

@deniszh I already update our staging (and production today). Now I can't reproduce a issue (and can before update). No alert window in web front and dangerous symbols are escaped.

msaf1980 · 2022-11-14T06:25:27Z

As I think, bug in ExtJS DateField.

takyoni added the bug label Apr 13, 2022

deniszh added pinned security Security issue xss labels Apr 13, 2022

msaf1980 mentioned this issue Oct 28, 2022

Fix XSS in some dashboards queries #2785

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] Self-XSS in "Absolute Time Range" #2746

[BUG] Self-XSS in "Absolute Time Range" #2746

takyoni commented Apr 13, 2022

deniszh commented Nov 6, 2022

msaf1980 commented Nov 7, 2022

msaf1980 commented Nov 14, 2022

[BUG] Self-XSS in "Absolute Time Range" #2746

[BUG] Self-XSS in "Absolute Time Range" #2746

Comments

takyoni commented Apr 13, 2022

deniszh commented Nov 6, 2022

msaf1980 commented Nov 7, 2022

msaf1980 commented Nov 14, 2022