Persistent XSS vulnerability in cobbler-web [CVE-2018-1000225] #1917
Labels
Bug Report
Reporting a bug
Priority
Issues that will be worked on with higher priority.
Security
Web-interface
Should not be used anymore. We have a dedicated cobbler-web project for this
Projects
cobbler-web renders HTML and executes JavaScript payloads that are provided by users.
Combined with authentication problems in the Cobbler XMLRPC API, this allows unauthenticated users to inject malicious payloads into the web UI.
A harmless Proof of Concept script:
Then when you visit the
cobbler_web/eventsendpoint:These payloads can be used to hijack the sessions of administrator and perform actions that the attacker would otherwise be unable to, or to exfiltrate sensitive information.
cobbler-web should sanitize all user provided inputs, and treat them as untrusted. This included never rendering user provided HTML, nor executing user provided JavaScript.
See this post for more discussion.
The text was updated successfully, but these errors were encountered: