Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Hello,
I want to report a Reflect Cross-site scripting issue on view.html.
view.html
A function call on view.html, Line 48 will append error message by showErrorMessage function.
showErrorMessage
showErrorMessage function was declared in js/graph.js The error message will append to html without any escape.
function showErrorMessage(message) { var $errorContainer = $("#errorContainer"); $errorContainer.show(); $errorContainer.html(""); $errorContainer.append(message); }
So we can create a malicious error query and then trigger the XSS easily:
/view.html?q={"metrics":[{"tags":{},"name":"123","group_by":[{"name":"tag","tags":["1"]}],"aggregators":[{"name":"sum","sampling":{"value":"<script>alert(document.domain)</script>","unit":"milliseconds"}}],"limit":"1"}],"plugins":[],"cache_time":0,"start_absolute":1570723200000,"end_absolute":1571241600000}&d=[{"scale":true}]
You can escape the malicious code or fix with url encode append(htmlEncode(message)) before append to html.
append(htmlEncode(message))
Best Regards.
The text was updated successfully, but these errors were encountered:
Nice hacking.
Sorry, something went wrong.
Honestly how did you find that?
@brianhks
I was test my Grafana Apps then. I saw something weird in kairosdb's error message, so I started to trace code and find out the bug.
fix kairosdb#569
a6d4abe
Successfully merging a pull request may close this issue.
Hello,
I want to report a Reflect Cross-site scripting issue on
view.html.Vulnerability
A function call on view.html, Line 48 will append error message by
showErrorMessagefunction.showErrorMessagefunction was declared in js/graph.jsThe error message will append to html without any escape.
So we can create a malicious error query and then trigger the XSS easily:
Fix
You can escape the malicious code or fix with url encode
append(htmlEncode(message))before append to html.Best Regards.
The text was updated successfully, but these errors were encountered: