Bug #15844
closed
Dashboard ``widgetkey`` values are not validated on save or load, can lead to configuration corruption or other problems
100%
Description
Many dashboard widgets allow multiple instances and use a "widgetkey" parameter to distinguish between these instances. The widget keys should be in the form of <widget internal name>-<instance id>. However, this format is not validated when submitted from clients. Clients can populate that variable with bad data, which can result in a corrupted configuration and it could potentially be an XSS vector.
For example, if a client submits a widgetkey value containing XML, such as the following, it can result in the configuration becoming unreadable, which prevents the GUI from being used and may also prevent the system from booting:
widgetkey=test/><log-0><filterlogentriesinterval>5;alert("XSS")</filterlogentriesinterval></log-0><!--
At a minimum, the submitted widget key should be validated to be in the correct form and tested against the current list of widgets on the dashboard. If the latter part would result in settings being lost for removed widgets, then it may be enough to test the key against the list of possible widgets and that the ID is a positive integer.
Files
Updated by Jim Pingle 6 months ago
- File poc-widgetkey-15844.py poc-widgetkey-15844.py added
- Status changed from New to In Progress
- Assignee set to Jim Pingle
- % Done changed from 0 to 30
I was able to reproduce the XSS only if the configuration did not have any existing widget settings for an instance, such as log-0 in the example submission above. For the XSS to trigger the widgetkey in the injected XML has to match an existing widget on the Dashboard that doesn't already have settings and has a value that gets printed to the user without separate encoding. The easiest way to reproduce it is to remove any settings for log-0 in the configuration and then use the example value above.
Attached is a small proof of concept script which can trigger the problem.
I have a fix in progress, but it needs more work as each widget that uses widgetkey in this way needs updated to use the new validation methods.
Updated by Jim Pingle 6 months ago
- % Done changed from 30 to 90
MR updated with validation for remaining widgets that utilize widgetkey. Also included validation for some settings which were not fully validated.
Updated by Jim Pingle 6 months ago
Added MR for affected packages, also improved the validation methods a bit in general.
Updated by Jim Pingle 6 months ago
- File 15844-widgetkey-validation-24.03.patch 15844-widgetkey-validation-24.03.patch added
- File 15844-widgetkey-validation-24.11.patch 15844-widgetkey-validation-24.11.patch added
- File 15844-widgetkey-validation-ce-2.7.2.patch 15844-widgetkey-validation-ce-2.7.2.patch added
- % Done changed from 90 to 100
Attached here are patches for testing on releases, each of which needs slight adjustments for the patches to apply cleanly. I have tested each of them successfully against a handful of widgets but they could use wider testing. Both with the POC script attached above as well as general use of all the widgets, making sure they each still operate and allow changing their settings.
Updated by Jim Pingle 6 months ago
- Status changed from In Progress to Feedback
I merged the changes, they are ready for additional testing.
Updated by Jim Pingle 6 months ago
- Status changed from Feedback to In Progress
There are still some refinements to be made here, more commits incoming.
Updated by Jim Pingle 6 months ago
- Status changed from In Progress to Feedback
Applied in changeset 6b42147b1c52b559e833e0edcbfbdffbb410b809.
Updated by Jim Pingle 5 months ago
- Plus Target Version changed from 25.01 to 25.03
Updated by Jim Pingle 5 months ago
Original reporter responded back that the last round of fixes corrected the problem.
Will leave open for an internal testing result, then it can be closed.
Updated by Georgiy Tyutyunnik 5 months ago
- Status changed from Feedback to Resolved
reproduced on 24.11
latest dev has the issue fixed
tested on:
25.03-DEVELOPMENT (amd64)
built on Tue Dec 17 7:00:00 CET 2024
FreeBSD 15.0-CURRENT