[BUG] Stored XSS in cookie
takyoni opened this issue · comments
Describe the bug
It's possible to execute JS on application context by modifying the "Relative Time Range"
To Reproduce
Access to a graphite-web instance (i.e. http://localhostdashboard/). You don't really need data in it.
- Go to http://localhost/dashboard/
- Click on "Relative Time Range"
- Enter in "Show the past":
<noscript><p title="</noscript><img src=x onerror=alert() onmouseover=alert()>">"
- Now there will always be XSS when you go to http://localhost/dashboard/
- It's connected with cookie ys-defaultGraphParams
- After performing all the actions, its value becomes:
s%3A%7B%22from%22%3A%22-2%3Cnoscript%3E%3Cp%20title%3D%5C%22%3C/noscript%3E%3Cimg%20src%3Dx%20onerror%3Dalert%28%29%20onmouseover%3Dalert%28%29%3E%5C%22%3E%5C%22hours%22%2C%22until%22%3A%22now%22%2C%22width%22%3A400%2C%22height%22%3A250%7D
Expected behavior
This can be solved by removing or ignoring requests containing the characters "<" ">" and/or other escaping/scripting characters. -> Sanitize the value before using it.
Environment (please complete the following information):
- OS flavor: Debian
- Graphite-web version [1.1.8-8]
- Django/Python version N/A but confirmed on 1.08-1.11/2.7, 2.1/3.6
- Setup type: docker
Additional context
Add any other context about the problem here.
Fixed in #2785