search

xuxueli / xxl-job

A distributed task scheduling framework.(分布式任务调度平台XXL-JOB)
http://www.xuxueli.com/xxl-job/
GNU General Public License v3.0
27.45k stars 10.86k forks source link

Xxl-job-admin 2.3.0 has storage-type XSS and vertical overreach vulnerabilities #2670

Open t1Kun opened 2 years ago

t1Kun commented 2 years ago

Download the source code from https://github.com/xuxueli/xxl-job warehouse, on the personal cloud host structures, the latest version: XXL - JOB 2.3.0 image

Create user test without any permission image Verify that other functions cannot be accessed

image The Test user cookies: XXL_JOB_LOGIN_IDENTITY=7b226964223a342c22757365726e616d65223a2274657374222c2270617373776f7264223a22303938663662636434363 2316433373363616465346538333236323762346636222c22726f6c65223a302c227065726d697373696f6e223a22227d Problem: XXl-job 2.3.0 allows users with low permissions to add storage XSS to administrators Vulnerability problem interface: /xxl-job-admin/jobinfo/add Expected result: The test user fails to create or update a task Actual result: The test user can create and execute tasks to load stored XSS Vulnerability verification case: Add tasks with admin permission, update tasks Function Task parameters add POC: Capture data packets. Replace the cookie of user test with the cookie of user Test and send the cookie. The task is created successfully image image Click Execute task as admin to change the cookie to test user cookie image image The task that Admin belongs to is successfully executed by the test user. The Admin user queries logs and successfully loads XSS image Also problematic interfaces are:

  1. Edit the addresslist parameter of the /xxl-job-admin/jobgroup/update interface
  2. Edit and update the executorParam parameters of the task function /xxl-job-admin/jobinfo/update interface
  3. Save the ueRemark parameter of edit GLUE IDE /xxl-job-admin/jobcode/save interface
  4. Perform the task once function /xxl-job-admin/jobinfo/trigger The addresslist parameter of the interface Vulnerability hazard: Low-permission user Test can vertically add tasks of admin user and store XSS, hijack cookies of administrator user or obtain sensitive information such as administrator keylog and browser record through XSS vulnerability
t1Kun commented 2 years ago

Hi, are there any plans to release a fix for this? Parameters are encoded as HTML entities or have blacklist filter tags, while user permissions are isolated