huashengdun / webssh

:seedling: Web based ssh client
https://webssh.huashengdun.org/
MIT License
4.55k stars 1.3k forks source link

XSS injection in webssh hostname field #374

Open adb014 opened 9 months ago

adb014 commented 9 months ago

There is a XSS injection attack possible against the hostname field of webssh. For example if webssh is port 443 of the local machine

https://localhost/?hostname=%3Cscript%3Ealert(%221%22)%3C/script%3E

will demonstrate the existence of the attack.

adb014 commented 8 months ago

The patch

--- static/js/main.js.orig      2024-03-11 17:12:37.270301908 +0000
+++ static/js/main.js   2024-03-11 18:31:04.497099056 +0000
@@ -325,7 +325,7 @@

   function log_status(text, to_populate) {
     console.log(text);
-    status.html(text.split('\n').join('<br/>'));
+    status.html(text.replace(/&/, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;').replace(/'/g, '&#039;').split('\n').join('</br>'));

     if (to_populate && validated_form_data) {
       populate_form(validated_form_data);

will fix the problem. Can't use "status.text" to replace "status.html" as we're adding "</br>"'s to the text

abcbarryn commented 1 month ago

When will this patch be merged?