Impact
Clicking on a malicious link pointing to the rules or directives pages while connected to the web interface of a Rudder server can lead to arbitrary script execution (a case of DOM based XSS). The injected script can then access all internal APIs with the user's privileges, including policies configuration, API accounts management (if the connected account has admin permissions), etc. It could hence allow compromising the Rudder server and all its managed nodes.
This vulnerability also allows some stored XSS (in directive ID), but exploiting it requires an account with write access to the configuration policies.
Details
The rules and directives pages use a JSON URL parameter to get the ID of the rule or directive to load (source). It has the following behavior (here in the directives page):
-
The page loads with a JSON parameter: /rudder/secure/configurationManager/directiveManagement#{"directiveId":"bef08dbb-d33c-49d9-8021-ecd7b828d779"}
-
Some JavaScript code in the page fetches the URL parameter:
var directiveId = decodeURI(window.location.hash.substring(1)) ;
- It sends it to the server with an Ajax call:
${SHtml.ajaxCall(JsVar("directiveId"), displayDetails _)._2.toJsCmd};
- The backend parses the JSON and builds a JavaScript file that loads the given directive in the page:
json.parseOpt(jsonId).flatMap(_.extractOpt[JsonDirectiveRId]) match {
case Some(id) =>
updateDirectiveForm(Right(DirectiveId(DirectiveUid(id.directiveId), ParseRev(id.rev))), None) def updateDirectiveForm(
// ...
) {
JsRaw("""sessionStorage.removeItem('tags-${directiveId.uid.value}');""")
}
- The script is returned to the browser which evaluates it, leading to executing a script containing:
sessionStorage.removeItem('tags-bef08dbb-d33c-49d9-8021-ecd7b828d779');Injection
The injection happens in the URL parameter:
/rudder/secure/configurationManager/directiveManagement#{"directiveId":"');alert(1);//"}
which leads to executing the following line:
sessionStorage.removeItem('tags-');alert(1);//');This evaluates arbitrary JavaScript code which bypasses all mitigation for simpler XSS or CSRF (SameSite cookie attribute, etc.).
Patches
The fix consists in applying proper JavaScript escaping on the untrusted strings.
Workarounds
None on the server side.
On the client side, avoid clicking on untrusted links pointing to your Rudder server while connected to its Web interface. You can use different browsers, browser profile, etc. to prevent it.
References
Impact
Clicking on a malicious link pointing to the rules or directives pages while connected to the web interface of a Rudder server can lead to arbitrary script execution (a case of DOM based XSS). The injected script can then access all internal APIs with the user's privileges, including policies configuration, API accounts management (if the connected account has admin permissions), etc. It could hence allow compromising the Rudder server and all its managed nodes.
This vulnerability also allows some stored XSS (in directive ID), but exploiting it requires an account with write access to the configuration policies.
Details
The rules and directives pages use a JSON URL parameter to get the ID of the rule or directive to load (source). It has the following behavior (here in the directives page):
The page loads with a JSON parameter:
/rudder/secure/configurationManager/directiveManagement#{"directiveId":"bef08dbb-d33c-49d9-8021-ecd7b828d779"}Some JavaScript code in the page fetches the URL parameter:
Injection
The injection happens in the URL parameter:
which leads to executing the following line:
This evaluates arbitrary JavaScript code which bypasses all mitigation for simpler XSS or CSRF (
SameSitecookie attribute, etc.).Patches
The fix consists in applying proper JavaScript escaping on the untrusted strings.
Workarounds
None on the server side.
On the client side, avoid clicking on untrusted links pointing to your Rudder server while connected to its Web interface. You can use different browsers, browser profile, etc. to prevent it.
References