Details
Major Description
- Description:
Stored XSS via data injection into Geode database, the injected
payload eventually gets executed on Pulse web application when the
admin querying data from Geode.
- PoC:
Step 1: With Geode up and running, run gfsh command to get into
interactive mode:
shell$ gfsh
Step 2: In gfsh console, execute the following command to insert a
data entry into regionA (assume that regionA is created before). Note
that the value of this data entry contains JavaScript code:
gfsh> put --region=regionA --key="test" --value="<script>alert(1)</script>"
Step 3: Open browser to query editor of Pulse web application at
https://nam04.safelinks.protection.outlook.com/?url=http%3A%2F%2F192.168.93.153%3A7070%2Fpulse%2FdataBrowser.html&data=05%7C01%7Cbakera%40vmware.com%7Cc06e6de8d92c4519303708da54fa7d03%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C637915732081233095%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ykaOkxe1hlaE7xl8XQNgBQz2%2Ful1QPxrUChoBkuaeyY%3D&reserved=0 (assume that already
logged in as admin), execute the following query:
SELECT * FROM /regionA
Step 4: Data from regionA will be retrieved, the XSS payload
eventually get executed
- Why this is an issue?
Developer maybe saves user-controlled data to Geode database, users
maybe submit data via an arbitrary client application (for example, a
web application), the use of gfsh console just simplifies the PoC.
- IMPACT:
Exploiting this XSS vulnerability, an attacker can steal the admin's
session cookie, therefore take over the admin account.
- Fix:
The Pulse web application must URL encode data retrieved from Geode database.
- Credit:
The issue is found by Nguyen Thai Hung (@nth347), Viettel Cyber Security.
Attachments
Issue Links
- links to