[jira] [Created] (GEODE-10411) XSS vulnerabiltiy in Pulse data browser

[Joris Melchior (Jira)]

Joris Melchior created GEODE-10411:
--------------------------------------

             Summary: XSS vulnerabiltiy in Pulse data browser
                 Key: GEODE-10411
                 URL: https://issues.apache.org/jira/browse/GEODE-10411
             Project: Geode
          Issue Type: Bug
          Components: pulse
    Affects Versions: 1.15.0, 1.14.4, 1.12.9, 1.12.10, 1.14.5, 1.15.1, 1.16.0
            Reporter: Joris Melchior


# Description:

Stored XSS via data injection into Geode database, the injected
payload eventually gets executed on Pulse web application when the
admin querying data from Geode.

# PoC:

Step 1: With Geode up and running, run gfsh command to get into
interactive mode:

   shell$ gfsh

Step 2: In gfsh console, execute the following command to insert a
data entry into regionA (assume that regionA is created before). Note
that the value of this data entry contains JavaScript code:

   gfsh> put --region=regionA --key="test" --value="<script>alert(1)</script>"

Step 3: Open browser to query editor of Pulse web application at
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2F192.168.93.153%3A7070%2Fpulse%2FdataBrowser.html&amp;data=05%7C01%7Cbakera%40vmware.com%7Cc06e6de8d92c4519303708da54fa7d03%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637915732081233095%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=ykaOkxe1hlaE7xl8XQNgBQz2%2Ful1QPxrUChoBkuaeyY%3D&amp;reserved=0
 (assume that already
logged in as admin), execute the following query:

    SELECT * FROM /regionA

Step 4: Data from regionA will be retrieved, the XSS payload
eventually get executed

# Why this is an issue?

Developer maybe saves user-controlled data to Geode database, users
maybe submit data via an arbitrary client application (for example, a
web application), the use of gfsh console just simplifies the PoC.

# IMPACT:

Exploiting this XSS vulnerability, an attacker can steal the admin's
session cookie, therefore take over the admin account.

# CVSS: 7.6 HIGH
(https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.first.org%2Fcvss%2Fcalculator%2F3.0%23CVSS%3A3.0%2FAV%3AN%2FAC%3AL%2FPR%3AN%2FUI%3AR%2FS%3AU%2FC%3AH%2FI%3AL%2FA%3AL&amp;data=05%7C01%7Cbakera%40vmware.com%7Cc06e6de8d92c4519303708da54fa7d03%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637915732081233095%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=W5dDA8kMdT1IVeUVX6mhWHhZ2HnAZbXErEB%2F0Tjs5hg%3D&amp;reserved=0
 )
(re-calculate if not correct)

# Fix:

The Pulse web application must URL encode data retrieved from Geode database.

# Credit:

The issue is found by Nguyen Thai Hung (@nth347), Viettel Cyber Security.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)