search

moqui / moqui-framework

Use Moqui Framework to build enterprise applications based on Java. It includes tools for databases (relational, graph, document), local and web services, web and other UI with screens and forms, security, file/resource access, scripts, templates, l10n, caching, logging, search, rules, workflow, multi-instance, and integration.
http://www.moqui.org
Other
279 stars 199 forks source link

Xss risk #609

Closed daiagou closed 1 year ago

daiagou commented 1 year ago

When we access the admin page, use the plugin to add a header to the request header :"X-Forwarded-Host" and value is:'1" onerror='alert("Madison admin XSS Test")'>'. After accessing the page, a "alert" pop-up box will appear on the page

acetousk commented 1 year ago

@daiagou Thank you for reporting this! It would be great if you could be a bit more specific. What admin page are you sending the request header to? What pages does this happen on? What plugin are you talking about? Can you send a curl command that will replicate this?

In the future, send a security issue to moqui-board@googlegroups.com following the security policy

jonesde commented 1 year ago

I'm not able to reproduce this. I tried this curl command using as-is moqui-framework run with java -jar moqui.war (using embedded Jetty):

curl -H "X-Forwarded-Host: 1\" onerror=\"alert('Madison admin XSS Test')\">" http://localhost:8080/Login

The result is an exception from Jetty: java.lang.IllegalArgumentException: Bad Authority caused by: org.eclipse.jetty.http.BadMessageException: 400: Bad header value for X-Forwarded-Host

In your message to the board mailing list you mentioned deploying as a WAR file in Tomcat, perhaps Tomcat does not validate header values like this?

What is more odd is that nothing in OOTB moqui-framework or moqui-runtime would display this header value, there is no instance of the header name X-Forwarded-Host anywhere in the code, and nothing that includes header values in generated output.

In short, I'm not able to reproduce this with OOTB Moqui.

I did notice that the HTML returned by the server was generated by Jetty. If Tomcat is generating the HTML output that includes the header value, resulting in the dialog popping up, then it may an issue with Tomcat that we couldn't do anything about with Moqui... except to recommend against using whichever version of Tomcat you are using.

If you are using an older version of Tomcat I'd highly recommend updating, and for something like a Servlet Container like Tomcat or Jetty it is very important to update frequently because they are the first point of contact for web traffic and so highly sensitive to security vulnerabilities.

daiagou commented 1 year ago

We used to deploy the war package to tomcat using the "gradle addRuntime" method, which caused xss to pop up. However, according to your statement, we tried Jetty and it was true that no pop ups occurred. Thank you so much.