Vote #74664
未完了RJS leaking
0%
説明
example - http://www.redmine.org/boards/2/topics/quote/5682.js
all files that respond with JS with private data for GET requests are vulnerable to homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
in redmine we should remove:
attachments/destroy.js.erb members/create.js.erb
attachments/upload.js.erb members/destroy.js.erb
custom_fields/new.js.erb members/update.js.erb
groups/add_users.js.erb messages/quote.js.erb
groups/autocomplete_for_user.js.erb repositories/add_related_issue.js.erb
groups/destroy_membership.js.erb repositories/new.js.erb
groups/edit_membership.js.erb repositories/remove_related_issue.js.erb
groups/remove_user.js.erb users/destroy_membership.js.erb
issue_categories/create.js.erb users/edit_membership.js.erb
issue_categories/new.js.erb versions/create.js.erb
issue_relations/create.js.erb versions/new.js.erb
issue_relations/destroy.js.erb versions/status_by.js.erb
issues/bulk_edit.js.erb watchers/_set_watcher.js.erb
issues/update_form.js.erb watchers/append.js.erb
journals/edit.js.erb watchers/create.js.erb
journals/new.js.erb watchers/destroy.js.erb
journals/update.js.erb watchers/new.js.erb
members/autocomplete.js.erb wikis/edit.js.erb
journals
I'm not fond of RJS neither but I can't see how an attacker will get access to the private data without first getting access to an authenticated user loaded page?
--------------------------------------------------------------------------------
For example, there's no sensible data exposed by the server in your example?
--------------------------------------------------------------------------------
i gave a link to my blog post above: http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
When redmine user visits 3rd party website, that website can include something like
<script src="http://www.redmine.org/boards/2/topics/quote/5682.js"></script> or iterate all comments, or any other GET-accessible actions (check the files I listed above, some of them suit).
Also he redefines
function $(){ return {val: function(){ console.log('LEAKED',arguments);}}};
document.write('<script src="http://www.redmine.org/boards/2/topics/quote/5682.js"></script>')
--------------------------------------------------------------------------------
btw this route is has no CSRF protection
match 'sys/projects/:id/repository', :to => 'sys#create_project_repository', :via => :post
because no protect_from_forgery in SyScontroller
--------------------------------------------------------------------------------
egor homakov wrote:
> btw this route is has no CSRF protection
>
> match 'sys/projects/:id/repository', :to => 'sys#create_project_repository', :via => :post
>
> because no protect_from_forgery in SyScontroller
It's normal behavior, this controller is called for system task by passing a key as param.
--------------------------------------------------------------------------------
I see, thanks.
i can't reproduce get 'watchers/new', :to => 'watchers#new'
but i think most of routes above work for admin users only. I don't have redmine installation to test, so quote-link is only example i have so far. Please check if there are other JS-responding GET routes, non-GET are fine.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
related_issues
relates,New,17770,very simple fix: that causes many sites to break, and much confusion - incorrect use of .js suffix