Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] [XBOW-025-008] Reflected Cross-Site Scripting (XSS) Vulnerability in Graphite 1.1.10 via /metrics/find endpoint #2870

Open
xbow-security opened this issue Jan 24, 2025 · 3 comments
Open

[BUG] [XBOW-025-008] Reflected Cross-Site Scripting (XSS) Vulnerability in Graphite 1.1.10 via /metrics/find endpoint #2870

xbow-security opened this issue Jan 24, 2025 · 3 comments
Labels
bug

Comments

@xbow-security
Copy link

Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

Description

The Graphite 1.1.10 metrics interface is vulnerable to reflected Cross-Site Scripting (XSS) through the 'from' and 'until' parameters in the /metrics/find endpoint. When these parameters receive input containing script tags, the application fails to properly sanitize the input before reflecting it back in error messages. This vulnerability allows attackers to inject and execute arbitrary JavaScript code in the context of other users' browsers.

The vulnerability exists because the error handling mechanism in the metrics interface reflects user input in error messages without proper HTML encoding. When the application attempts to process invalid date formats in the from/until parameters, it generates an error message that includes the raw user input, allowing script tags to be executed in the browser context.

Steps to Reproduce

  1. Access the Graphite metrics interface at /metrics/find.
  2. Submit a request with a malicious payload in the 'from' parameter: 
    GET /metrics/find?from=<script>alert('XSS')</script>
  3. The application will return a 400 Bad Request error but will reflect the payload in the error message.

Image

  1. The injected JavaScript code executes in the victim's browser.

When these steps are followed, the application generates an error message containing the unescaped input, allowing the JavaScript code to execute in the victim's browser context, demonstrating the successful exploitation of the XSS vulnerability.

Mitigations

  • Implement proper HTML encoding for all user input that is reflected in error messages using appropriate framework escape functions.
  • Add Content Security Policy (CSP) headers to restrict script execution from unauthorized sources.
  • Validate and sanitize all input parameters before processing, especially date-related parameters that generate error messages.
  • Consider using built-in date parsing functions instead of raw string manipulation for date parameters.

Impact

This vulnerability allows attackers to execute arbitrary JavaScript code in victims' browsers when they visit specially crafted URLs. The impact is high as it could lead to session hijacking, credential theft, or other client-side attacks. The vulnerability requires no authentication and can be triggered through a simple GET request, making it easily exploitable through malicious links or redirects.

Disclosure Policy

This bug is subject to a 90-day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 15 days after the fix was made available. Regardless of this disclosure process, XBOW may privately notify other affected parties as soon as we become aware of this vulnerability.
@niol
Copy link
Contributor

niol commented Jan 24, 2025

Cannot reproduce on my installation, I get:
Invalid parameters (Invalid value "<script>alert('XSS')</script>" for param from: Unknown day reference: <script>alert('xss')</script>)
So this may be already fixed.

@xbow-security
Copy link
Author

Hello @niol ,

That's the expected behavior for this XSS exploitation. You will see the payload being reflected in the response as in the following screenshot:

Image

If you get this same request into the browser, you should see the XSS alert.

Image

Please let me know if it works for you. We've just tested it again in the latest version of Graphite (1.1.10) and it works.s

@niol
Copy link
Contributor

niol commented Jan 24, 2025

No I have:
Invalid parameters (Invalid value "&lt;script&gt;alert('XSS')&lt;/script&gt;" for param from: Unknown day reference: &lt;script&gt;alert('xss')&lt;/script&gt;)
But I use the patched version from Debian (1.1.10-8) which includes many fixes from the master branch but not released.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@niol @xbow-security