Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

/api/app/config exposed anonymously + XSS in callback parameter #546

Closed
oscarintherocks opened this issue Oct 31, 2022 · 1 comment
Closed

/api/app/config exposed anonymously + XSS in callback parameter #546

oscarintherocks opened this issue Oct 31, 2022 · 1 comment

Comments

@oscarintherocks
Copy link

Summary

/api/app/config endpoint is exposed anonymously, so anyone can get config details from the API.
Same endpoint can use the parameter callback, and this parameter is vulnerable to reflected XSS injection

Steps to reproduce the problem

  1. Install last version of Cronicle (v.0.9.14 at this time)
  2. From any host connect to the endpoint
    curl -k "https://server/api/app/config?callback=<script>alert(1);</script>"
  3. You will receive the Script contents reflected in the response and details about the config
    <script>alert(1);</script>({"code":0,"version":"0.9.14","config":{"name":"Cronicle","debug":0,"default_password_type":"password","privilege_list":[{"id":"admin","title":"Administrator"},{"id":"create_events","title":"Create Events"},{"id":"edit_events","title":"Edit Events"},{"id":"delete_events","title":"Delete Events"},{"id":"run_events","title":"Run Events"},{"id":"abort_events","title":"Abort Events"},{"id":"state_update","title":"Toggle Scheduler"}],"new_event_template":{"enabled":1,"params":{},"timing":{"minutes":[0]},"max_children":1,"timeout":3600,"catch_up":0,"queue_max":1000},"job_memory_max":1073741824,"base_api_uri":"/api","default_privileges":{"admin":0,"create_events":1,"edit_events":1,"delete_events":1,"run_events":0,"abort_events":0,"state_update":0},"free_accounts":false,"external_users":0,"external_user_api":"","web_socket_use_hostnames":0,"web_direct_connect":0,"socket_io_transports":0},"port":3012,"master_hostname":"servername","servers":{"servername":{"hostname":"servername","ip":"1.2.3.4"}}});

Your Setup

Cronicle 0.9.14 default install with a master server + 1 worker

Cronicle software version?

v0.9.14

Are you using a multi-server setup, or just a single server?

Master server + 1 worker

Are you using the filesystem as back-end storage, or S3/Couchbase?

Filesystem

Can you reproduce the crash consistently?

Yes

How to Fix

Sanitize the input for callback command and delete all HTML content to fix XSS
Require the API Key/Session Key to access this endpoint to fix the config info disclosure
jhuckaby added a commit that referenced this issue Nov 3, 2022
@jhuckaby
Version 0.9.15
c7486df 
- Addresses XSS aspect of issue #546
@jhuckaby
Copy link
Owner

jhuckaby commented Nov 3, 2022

XSS issue is fixed in v0.9.15: https://github.com/jhuckaby/Cronicle/releases/tag/v0.9.15

As for exposing the config API endpoint, this is not considered a critical issue. The app is really designed to run behind a company firewall, so exposing the configuration in the API call is not considered a big deal. No passwords or API keys are exposed, just some basic configuration to bootstrap the UI.

@jhuckaby jhuckaby closed this as completed Nov 3, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jhuckaby @oscarintherocks