GHSA-cr3w-cw5w-h3fj: Saltcorn's Reflected XSS and Command Injection vulnerabilities can be chained for 1-click-RCE
- There is a reflected XSS vulnerability in the GET /admin/edit-codepage/:name route through the name parameter. This can be used to hijack the session of an admin if they click a specially crafted link.
- Additionally, there is a Command Injection vulnerability in GET /admin/backup. The admin can inject a shell command in the backup password which is inserted in the command used to create the backup zip.
Both vulnerabilities can be chained to craft a malicious link which will execute an arbitrary shell command on the server if it is clicked by a saltcorn admin with an active session. I believe iframes could also be used to exploit this silently when the admin visits an attacker-controlled web page (though I have not tested that).
References
- github.com/advisories/GHSA-cr3w-cw5w-h3fj
- github.com/saltcorn/saltcorn
- github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/saltcorn-admin-models/models/backup.ts
- github.com/saltcorn/saltcorn/blob/020893c0001678fd5ebd2c088ba68b395de1aabc/packages/server/routes/admin.js
- github.com/saltcorn/saltcorn/commit/1bf681e08c45719a52afcf3506fb5ec59f4974d5
- github.com/saltcorn/saltcorn/security/advisories/GHSA-cr3w-cw5w-h3fj
Code Behaviors & Features
Detect and mitigate GHSA-cr3w-cw5w-h3fj with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →