Skip to content

Server-Side Request Forgery in Metersphere leads to Cross-Site Scripting

Moderate
liqiang-fit2cloud published GHSA-vrv6-cg45-rmjj Dec 26, 2022

Package

maven io.metersphere:metersphere (Maven)

Affected versions

< 2.5.0

Patched versions

2.5.0

Description

Summary

A Server-Side request forgery in IssueProxyResourceService::getMdImageByUrl allows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere's origin by a victim of a reflected XSS.

Details

Metersphere's IssueProxyResourceController loads a /md/get/url endpoint passing a user-controlled url GET parameter (1) to getMdImageByUrl (2).

// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/test-track/backend/src/main/java/io/metersphere/controller/IssueProxyResourceController.java
@RestController
@RequestMapping(value = "/resource")
public class IssueProxyResourceController {
    @Resource
    IssueProxyResourceService issueProxyResourceService;
    @GetMapping(value = "/md/get/url")
    public ResponseEntity<byte[]> getFileByUrl(@RequestParam ("url") String url, @RequestParam (value = "platform", required = false) String platform, // 1
                                               @RequestParam ("project_id") String projectId, @RequestParam ("workspace_id") String workspaceId) {
        return issueProxyResourceService.getMdImageByUrl(url, platform, projectId, workspaceId); // 2
    }
}

getMdImageByUrl then passes url to RestTemplate's exchange method in 3, which will make a request and return the contents of url.

// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/test-track/backend/src/main/java/io/metersphere/service/wapper/IssueProxyResourceService.java#L32
public ResponseEntity<byte[]> getMdImageByUrl(String url, String platform, String projectId, String workspaceId) {
    if (url.contains("md/get/url")) {
        MSException.throwException(Translator.get("invalid_parameter"));
    }
    ...
    return restTemplate.exchange(url, HttpMethod.GET, null, byte[].class); // 3
}

PoC

curl -X GET 'http://127.0.0.1:8081/resource/md/get/url?url=https://securitylab.github.com'

Patches

The vulnerability has been fixed in v2.5.0.

  • d0f95b5: Restrict the path used by RestTemplate.

Workarounds

It is recommended to upgrade the version to v2.5.0.

For more information

If you have any questions or comments about this advisory, please open an issue.

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

CVE ID

CVE-2022-23544

Weaknesses

Credits