-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security Vulnerability - Content Injection #22
Comments
benmap-brex. I am unable to follow how this can happen on default configuration. (no logs exposed). Can you please elaborate? |
Hey, not sure what the default config is, but usernames are not HTML encoded when reflected into the /logs endpoint on port 6920. If an attacker POSTs to the login endpoint with a username containing HTML it will show up in the logs, as shown in the screenshot above. |
I agree with you... @rgooch : this is what happens when templates are not used. Since this happens only when public logs are enabled (non default) I am accepting this as bug, but making this a medium issue. |
I updated the impact and accepted this as bug |
Thanks for checking into this! Again, didn't know it wasn't a default config 👍 |
Given this was exposed with a non-default configuration, is there anything we should/can do here? |
I've merged code (Cloud-Foundations/Dominator#49) which escapes HTML sequences in the logs display. Anyone building from HEAD will have this fix. I think that completes the source code side of this, so closing. Please re-open if you disagree. |
Impact:
Medium
(remotely explotiable with non-default configuration)
CVSS v 3.1 Vector:
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
The admin panel logs pages are vulnerable to HTML injection. An attacker can craft a phishing page using HTML + CSS and trick admins who view the page into disclosing their credentials. CSP prevents JS execution, but JS execution isn’t necessary to do damage.
The text was updated successfully, but these errors were encountered: