search

arachnys / cabot

Self-hosted, easily-deployable monitoring and alerts service - like a lightweight PagerDuty
MIT License
5.58k stars 590 forks source link

Security Fix for Stored Cross-site Scripting (XSS) - huntr.dev #694

Closed huntr-helper closed 3 years ago

huntr-helper commented 3 years ago

https://huntr.dev/users/alromh87 has fixed the Stored Cross-site Scripting (XSS) vulnerability πŸ”¨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program πŸ’΅. Think you could fix a vulnerability like this?

Get involved at https://huntr.dev/

Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/cabot/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/cabot/1/README.md

User Comments:

πŸ“Š Metadata *

Bounty URL: https://www.huntr.dev/bounties/1-pypi-cabot/

βš™οΈ Description *

Executed Persistent stored XSS in cabot check settings, as well as the address field.

πŸ’» Technical Description *

Fixed by using builtin django autoescape and URLValidator

Altough Django has inbuilt protection agains XSS it was disabled for the test result.error by using {% autoescape off %}, just to be sure I wasn't breaking any needed functionality I inspected history to depict the porpouse of this change

As an extra I added URLValidator in the Http test model

πŸ› Proof of Concept (PoC) *

  1. Setup cabot to reproduce the vulnerability
  2. Create an account now login to the account
  3. Go to checks Create and navigate to http check.
  4. In the Endpoint column append a XSS payload. <script>alert('Hi')</script>
  5. Now we can see a failed check now click run button in that checks
  6. XSS triggered
  7. XSS will trigger in check result for every time executed for both Test name and Endpoint

Captura de pantalla de 2020-09-13 12-33-03

Captura de pantalla de 2020-09-13 12-32-53

Proof of Fix (PoF) *

After fix No code is executed for remote user

Captura de pantalla de 2020-09-13 12-27-30

Captura de pantalla de 2020-09-13 12-28-33

Fix will also handle previously stored offending endpoints with XSS

πŸ‘ User Acceptance Testing (UAT)

After fix functionality is unafected

FuccDucc commented 3 years ago

The cabot project is dead (inactive repository), but i hope they realize this is a serious vulnerability.. it is CVE-2020-7734, scored as 8.2 HIGH on https://nvd.nist.gov/vuln/detail/CVE-2020-7734

So @dbuxton or @frankh please do something and merge this important security fix

Also see https://snyk.io/vuln/SNYK-PYTHON-CABOT-609862 for more details. They were right to say "There is no fixed version for cabot" under remediation.

With all sources combined, the public knownledge of the specifics of this vulnerability is enough to make exploitation by a lot of people possible. So it's not safe for it to be unpatched this long.

Merge it and deploy a new release or hotfix

dbuxton commented 3 years ago

Thanks for the feedback. Exploitation of this requires admin access, so we did not prioritize it, but as the fix is simple and uncontroversial it's now merged.

FuccDucc commented 3 years ago

Nice..

The last release 0.11.7 dates back to 2017, and there's a lot of later commits in master.

How about making a new release that will include this security patch and also serve not to let all of those other updates go to waste? @dbuxton