npf
commented
5 years ago Hello Matthieu, Did you success to demonstrate the exploit ?
Open matthieu637 opened 5 years ago
npf
commented
5 years ago Hello Matthieu, Did you success to demonstrate the exploit ?
matthieu637
commented
5 years ago Hello, In the link I sent the JS only prompt 23206. I guess it's enough to demonstrate the exploit. The server isn't directly targeted by this kind of exploit but users are (and ultimately the server can be in danger if the target is an admin).
For instance, a hacker could send the following link (https://intranet.grid5000.fr/oar/Nancy/drawgantt-svg/drawgantt.php?start=1552960201&stop=1553219401&filter=all%20clusters&timezone=Asia/Shangai&resource_base=cpuset%22;prompt(23206)//&scale=10) to a user of grid5000 with a malicious JS script that ask for password and upload it somewhere. The victim will see the "https://intranet.grid5000.fr/" and could think "ok it's safe", but it's not.
npf
commented
5 years ago Thanks, Matthieu. (apparently I misread the url you proposed above, your example is indeed demonstrative !).
Hello, The IT team of my university informed us that there is a problem on the following page:
drawgantt.php?start=1552960201&stop=1553219401&filter=all clusters&timezone=Asia/Shangai&resource_base=cpuset";prompt(23206)//&scale=10I changed our firewall rules but it might also interest you (we are using the version 2.5.8~rc8-1.).