Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Reflect Cross-site Scripting on error message (WEB UI / view.html, graph.js) #569

Closed
k1tten opened this issue Oct 24, 2019 · 3 comments
Closed

Comments

@k1tten
Copy link

k1tten commented Oct 24, 2019

Hello,

I want to report a Reflect Cross-site scripting issue on view.html.

Vulnerability

A function call on view.html, Line 48 will append error message by showErrorMessage function.

showErrorMessage function was declared in js/graph.js
The error message will append to html without any escape.

function showErrorMessage(message) {
	var $errorContainer = $("#errorContainer");
	$errorContainer.show();
	$errorContainer.html("");
	$errorContainer.append(message);
}

So we can create a malicious error query and then trigger the XSS easily:

/view.html?q={"metrics":[{"tags":{},"name":"123","group_by":[{"name":"tag","tags":["1"]}],"aggregators":[{"name":"sum","sampling":{"value":"<script>alert(document.domain)</script>","unit":"milliseconds"}}],"limit":"1"}],"plugins":[],"cache_time":0,"start_absolute":1570723200000,"end_absolute":1571241600000}&d=[{"scale":true}]

Fix

You can escape the malicious code or fix with url encode append(htmlEncode(message)) before append to html.

Best Regards.

@brianhks
Copy link
Member

Nice hacking.

@brianhks
Copy link
Member

brianhks commented Dec 5, 2019

Honestly how did you find that?

@k1tten
Copy link
Author

k1tten commented Dec 6, 2019

@brianhks

I was test my Grafana Apps then.
I saw something weird in kairosdb's error message, so I started to trace code and find out the bug.

kyleboyle added a commit to kyleboyle/kairosdb that referenced this issue Dec 20, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants