search

angular-ui / ui-grid

UI Grid: an Angular Data Grid
http://ui-grid.info
MIT License
5.39k stars 2.47k forks source link

[Security Issue] Argument Injection #7170

Open zidingz opened 3 years ago

zidingz commented 3 years ago

Description

In this case, the attacker can specify the value that enters the program at get() in customizer.js at line 137, and this value is used to access a system resource at get() in customizer.js at line 142.

Explanation:

A resource injection issue occurs when the following two conditions are met:

An attacker can specify the identifier used to access a system resource. For example, an attacker might be able to specify a port number to be used to connect to a network resource.

By specifying the resource, the attacker gains a capability that would not otherwise be permitted. For example, the program may give the attacker the ability to transmit sensitive information to a third-party server.

PoC

$http.get(FILES.JSON_THEMES)
        .then(function (themeList) {
          var promises = [];
          var themes = {};
          angular.forEach(themeList.data, function(theme) {
            var tp = $http.get('/customizer/themes/' + theme + '.json');
            tp.then(function (response) {
              themes[theme] = response.data;
            });
            promises.push(tp);
          });

Impact

Attackers can control the resource identifier argument to get() at customizer.js line 142, which could enable them to access or modify otherwise protected system resources.

Location

https://github.com/angular-ui/ui-grid/blob/4aa2cc59a6bc683552a1e328f639a0aa0a0c7527/misc/site/js/customizer.js#L142