search

xuxueli / xxl-job

A distributed task scheduling framework.(分布式任务调度平台XXL-JOB)
http://www.xuxueli.com/xxl-job/
GNU General Public License v3.0
27.45k stars 10.86k forks source link

XSS attack appears in /xxl-job-admin/joblog/logDetailPage #3329

Open N0th1n3 opened 11 months ago

N0th1n3 commented 11 months ago

Environment

MySQL 5.7.44, XXL-Job-Admin 2.4.0 Virtual Machine 1: Ubuntu 22.04.3 (as XXL-Job-Admin) Virtual Machine 2: Ubuntu 22.04.3 (as XXL-Job-Executor)

Vulnerability Information

During the query of /xxl-job-admin/joblog/logDetailPage, the xxl-job-admin will query the related log directly in the machine and show it in the console in HTML format even if the log appears in format

Steps to reproduce the behavior

Step 1: Modify the application log in default path of XXL-Job-Executor and add malicious javascript cd /data/applogs/xxl-job/jobhandler/yyyy-mm-dd/ image Example malicious code <script>alert(Test123);</script> image

Step 2: Login to the XXL-Job-Admin console by admin user and navigate to Log Query Page Check the log by querying log id image

Step 3: Alert will show here image

75ACOL commented 10 months ago

If you can go to this page, then you can do more things.