Since the keys are getting stored to authorized_keys file it will be executed every time the SSH keys page is being loaded while deleting the key. Attacker can perform further malicious actions using this JavaScript execution.
openwrt/luci@588381e openwrt/luci@aa7938d openwrt/luci@0186d7e
Once key is saved now when we click on delete button. The application asks for confirmation of key deletion and shows the content of the key.
Here the input is not handled properly due to which JavaScript code can be executed.
Exact code line where the issue is happening : https://github.com/openwrt/luci/blob/f470452c4a1c478caf1bbbc19568c523e203e8dc/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js#L207
It is recommended to pull the patched LuCI version from the main branch to mitigate this vulnerability.
Impact
Since the keys are getting stored to authorized_keys file it will be executed every time the SSH keys page is being loaded while deleting the key. Attacker can perform further malicious actions using this JavaScript execution.
Patches
openwrt/luci@588381e
openwrt/luci@aa7938d
openwrt/luci@0186d7e
Proof of Concept
Once key is saved now when we click on delete button. The application asks for confirmation of key deletion and shows the content of the key.
Here the input is not handled properly due to which JavaScript code can be executed.
Exact code line where the issue is happening : https://github.com/openwrt/luci/blob/f470452c4a1c478caf1bbbc19568c523e203e8dc/modules/luci-mod-system/htdocs/luci-static/resources/view/system/sshkeys.js#L207
Workarounds
It is recommended to pull the patched LuCI version from the main branch to mitigate this vulnerability.