Summary
iotgateway's /_Admin/ActionLog/Search and /_Admin/ActionLog/Details may produce the xss vulnerability
Details
When user calls an HTTP API, the log record function will record the user's IP、ActionName and other Call Information. However the user's IP will get from the X-Forwarded-For Header. the IP's get source code is in \WalkingTec.Mvvm\WalkingTec.Mvvm.Mvc\Filters\FrameworkFilter.cs OnResultExecuted(ResultExecutedContext context) function line 386 and \WalkingTec.Mvvm\WalkingTec.Mvvm.Mvc\Helper\HttpContextExtention.cs GetRemoteIpAddress(this HttpContext self). below is the Vulnerable source code
/* 383 */ log.ModuleName = ctrlDes?.GetDescription(ctrl) ?? ctrlActDesc.ControllerName;
/* 384 */log.ActionName = actDes?.GetDescription(ctrl) ?? ctrlActDesc.ActionName + (postDes == null ? string.Empty : "[P]");
/* 385 */log.ActionUrl = context.HttpContext.Request.Path;
/* 386 */log.IP = context.HttpContext.GetRemoteIpAddress();
/* 387 */log.Remark = context.Exception?.ToString() ?? string.Empty;
/* 388 */if (string.IsNullOrEmpty(log.Remark) == false && log.Remark.Length > 2000)
/* 389 */{
/* 390 */ log.Remark = log.Remark.Substring(0, 2000);
/* 391 */}
public const string REMOTE_IP_HEADER = "X-Forwarded-For";
public static string GetRemoteIpAddress(this HttpContext self)
{
var proxyIp = self.Request?.Headers?[REMOTE_IP_HEADER].FirstOrDefault();
if (!string.IsNullOrEmpty(proxyIp))
{
return proxyIp;
}
else
{
return self.Connection.RemoteIpAddress.ToString();
}
}
if user set the header X-Forwarded-For user's IP will get from it. The Complete vulnerability reproduction
- user calls an HTTP API. and set the X-Forwarded-For like
1.1.1.1<img src=x onerror=alert(1)>
2. backend will store the X-Forwarded-For info and no filter
3.
3. Front html willl render the data , so the xss will trigger
PoC
X-Forwarded-For:1.1.1.1<img src=x onerror=alert(1)>
Impact
This issue may lead to Cross-Site Scripting.
Versions of v3.0.1 and earlier will be affected.
Summary
iotgateway's
/_Admin/ActionLog/Searchand/_Admin/ActionLog/Detailsmay produce the xss vulnerabilityDetails
When user calls an HTTP API, the log record function will record the user's
IP、ActionName and other Call Information. However the user's IP will get from theX-Forwarded-ForHeader. the IP's get source code is in\WalkingTec.Mvvm\WalkingTec.Mvvm.Mvc\Filters\FrameworkFilter.csOnResultExecuted(ResultExecutedContext context) function line 386 and\WalkingTec.Mvvm\WalkingTec.Mvvm.Mvc\Helper\HttpContextExtention.csGetRemoteIpAddress(this HttpContext self). below is the Vulnerable source codeif user set the header X-Forwarded-For user's IP will get from it. The Complete vulnerability reproduction
1.1.1.1<img src=x onerror=alert(1)>PoC
Impact
This issue may lead to Cross-Site Scripting.
Versions of v3.0.1 and earlier will be affected.