Skip to content
This repository has been archived by the owner on Apr 23, 2020. It is now read-only.

Stored cross-site-scripting on explorer add node #331

Open
ghost opened this issue Mar 5, 2017 · 0 comments
Open

Stored cross-site-scripting on explorer add node #331

ghost opened this issue Mar 5, 2017 · 0 comments
Labels
Bug

Comments

@ghost
Copy link

ghost commented Mar 5, 2017

I found that the following string can be added to the node explorer, allowing an attacker to create a stored cross site scripting (XSS) that can be seen under the logs tab.
the string to PUT in explorer is /<img src="yourURLto_the_image" onload="alert('XSS');>.
Attached some screenshots
image

image
haywhisksoftware added a commit to haywhisksoftware/exhibitor that referenced this issue Feb 5, 2018
@haywhisksoftware
Treats custom tab (e.g., Logs) content as text, instead of HTML.
ba09d0d 
Fixes soabase#331.
haywhisksoftware added a commit to haywhisksoftware/exhibitor that referenced this issue Feb 5, 2018
@haywhisksoftware
Fixes a possible regression:
38fae1e 
A creator of a UITab may designate the tab to serve HTML content. This is reflected in the "html" variable of the corresponding UITabSpec.

The previous commit for issue soabase#331 would have rendered all custom tab content as plain text, which may have ruined someone's day if they were hoping that their custom tab's content would render as HTML. This change renders custom tab content as text or HTML depending on the "html" variable.

For the Log tab, the content is plain text.
@haywhisksoftware haywhisksoftware mentioned this issue Mar 12, 2018
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@xiaochuanyu