New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[sidekiq <= v6.2, v5.1.3] Cross-site-scripting (XSS) #4852
Comments
This was fixed in #2330. Is there a regression? |
Sorry I've updated the ticket It's different in the link this time. |
You need to give me something that works against master. Security issues that are fixed are not issues. |
I'm unable to reproduce an issue in Sidekiq v5.1.0. I found and fixed one inconsistency but I don't see how it can be exploited as it requires a queue with that name to have jobs in it. Please give more detailed steps or close the issue. |
the payload I provided works against the latest version of master, I tested multiple setups, some only worked for IE and the other worked on all browsers, so I couldn't understand why, If you have Internet Explorer you can open this link as a proof The point is that modern browsers auto encode some characters to URL encoding which makes the PoC: https://d.top4top.io/p_19096xn861.png simply just use cURL and you will get it. curl 'https://[HOST]/sidekiq/queues/"onmouseover="alert()"' -H 'Authorization: Basic YWRtaW46QHhoemVlbQ==' |
I don't write ruby, but I tried to trace back the issue and I believe it might be caused by those two lines. |
I think you're right about the source, nice job! IE is not a relevant browser these days, but thank you for reporting. I've added a check to the input. |
CVE-2021-30151 was assigned to this issue. |
Hi there,
I found an XSS vulnerability affecting version v5.1.3 and maybe anything below that.
PoC
[HOST]/sidekiq/queues/"onmouseover="alert('@xhzeem')"
The text was updated successfully, but these errors were encountered: