Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[sidekiq <= v6.2, v5.1.3] Cross-site-scripting (XSS) #4852

Closed
xhzeem opened this issue Mar 24, 2021 · 8 comments
Closed

[sidekiq <= v6.2, v5.1.3] Cross-site-scripting (XSS) #4852

xhzeem opened this issue Mar 24, 2021 · 8 comments

Comments

@xhzeem
Copy link

xhzeem commented Mar 24, 2021

Hi there,
I found an XSS vulnerability affecting version v5.1.3 and maybe anything below that.

PoC

[HOST]/sidekiq/queues/"onmouseover="alert('@xhzeem')"

@mperham
Copy link
Collaborator

mperham commented Mar 24, 2021

This was fixed in #2330. Is there a regression?

@xhzeem
Copy link
Author

xhzeem commented Mar 24, 2021

Sorry I've updated the ticket

It's different in the link this time.

@mperham
Copy link
Collaborator

mperham commented Mar 24, 2021

You need to give me something that works against master. Security issues that are fixed are not issues.

mperham added a commit that referenced this issue Mar 24, 2021
@mperham
Copy link
Collaborator

mperham commented Mar 24, 2021

I'm unable to reproduce an issue in Sidekiq v5.1.0. I found and fixed one inconsistency but I don't see how it can be exploited as it requires a queue with that name to have jobs in it. Please give more detailed steps or close the issue.

@xhzeem
Copy link
Author

xhzeem commented Mar 24, 2021

the payload I provided works against the latest version of master, I tested multiple setups, some only worked for IE and the other worked on all browsers, so I couldn't understand why,

If you have Internet Explorer you can open this link as a proof
[HOST]/sidekiq/queues/"><h1>@xhzeem

The point is that modern browsers auto encode some characters to URL encoding which makes the " converts into %22but internet explorer doesn't do that you can see it there with no issue, even though I have another setup that is vulnerable and exploitable on chrome but I don't know why.

PoC: https://d.top4top.io/p_19096xn861.png

simply just use cURL and you will get it.

curl 'https://[HOST]/sidekiq/queues/"onmouseover="alert()"' -H 'Authorization: Basic YWRtaW46QHhoemVlbQ=='

@xhzeem
Copy link
Author

xhzeem commented Mar 24, 2021

I don't write ruby, but I tried to trace back the issue and I believe it might be caused by those two lines.

https://github.com/mperham/sidekiq/blob/3b5ae30c4e5e9e760268243ab5c14664a2f8d236/web/views/_poll_link.erb#L3-L5

@mperham
Copy link
Collaborator

mperham commented Mar 25, 2021

I think you're right about the source, nice job!

IE is not a relevant browser these days, but thank you for reporting. I've added a check to the input.

@xhzeem xhzeem changed the title Cross-site-scripting (XSS) [sidekiq <= v6.2] Cross-site-scripting (XSS) Apr 3, 2021
@xhzeem xhzeem changed the title [sidekiq <= v6.2] Cross-site-scripting (XSS) [sidekiq <= v6.2, v5.1.3] Cross-site-scripting (XSS) Apr 3, 2021
@abergmann
Copy link

CVE-2021-30151 was assigned to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants