Download the source code from https://github.com/xuxueli/xxl-job warehouse, on the personal cloud host structures, the latest version: XXL - JOB 2.3.0
Create user test without any permission
Verify that other functions cannot be accessed
The Test user cookies: XXL_JOB_LOGIN_IDENTITY=7b226964223a342c22757365726e616d65223a2274657374222c2270617373776f7264223a22303938663662636434363 2316433373363616465346538333236323762346636222c22726f6c65223a302c227065726d697373696f6e223a22227d
Problem: XXl-job 2.3.0 allows users with low permissions to add storage XSS to administrators
Vulnerability problem interface: /xxl-job-admin/jobinfo/add
Expected result: The test user fails to create or update a task
Actual result: The test user can create and execute tasks to load stored XSS
Vulnerability verification case: Add tasks with admin permission, update tasks Function Task parameters add POC:
Capture data packets. Replace the cookie of user test with the cookie of user Test and send the cookie. The task is created successfully
Click Execute task as admin to change the cookie to test user cookie
The task that Admin belongs to is successfully executed by the test user. The Admin user queries logs and successfully loads XSS
Also problematic interfaces are:
Edit the addresslist parameter of the /xxl-job-admin/jobgroup/update interface
Edit and update the executorParam parameters of the task function /xxl-job-admin/jobinfo/update interface
Save the ueRemark parameter of edit GLUE IDE /xxl-job-admin/jobcode/save interface
Perform the task once function /xxl-job-admin/jobinfo/trigger The addresslist parameter of the interface
Vulnerability hazard: Low-permission user Test can vertically add tasks of admin user and store XSS, hijack cookies of administrator user or obtain sensitive information such as administrator keylog and browser record through XSS vulnerability
Hi, are there any plans to release a fix for this? Parameters are encoded as HTML entities or have blacklist filter tags, while user permissions are isolated
Download the source code from https://github.com/xuxueli/xxl-job warehouse, on the personal cloud host structures, the latest version: XXL - JOB 2.3.0
Create user test without any permission Verify that other functions cannot be accessed
The Test user cookies: XXL_JOB_LOGIN_IDENTITY=7b226964223a342c22757365726e616d65223a2274657374222c2270617373776f7264223a22303938663662636434363 2316433373363616465346538333236323762346636222c22726f6c65223a302c227065726d697373696f6e223a22227d Problem: XXl-job 2.3.0 allows users with low permissions to add storage XSS to administrators Vulnerability problem interface: /xxl-job-admin/jobinfo/add Expected result: The test user fails to create or update a task Actual result: The test user can create and execute tasks to load stored XSS Vulnerability verification case: Add tasks with admin permission, update tasks Function Task parameters add POC: Capture data packets. Replace the cookie of user test with the cookie of user Test and send the cookie. The task is created successfully Click Execute task as admin to change the cookie to test user cookie The task that Admin belongs to is successfully executed by the test user. The Admin user queries logs and successfully loads XSS Also problematic interfaces are: