Cross Site Scripting in Search Backend/Proxy
skremdwd opened this issue · 3 comments
Describe the bug
It is possible to execute JavaScript that is put in the URL/GET Part of the HTTP Request which can lead to Cross-Site Scripting.
Desktop:
Windows + Firefox 132.0
To Reproduce
Example URL:
https://<metagrid-instance>/metagrid-backend/proxy/search?project=r%3Cs%3Eevqui%3Cscript%3Ealert(1)%3C%2fscript%3Ery328&offset=0&limit=10&type=Dataset&format=application%2Fsolr%2Bjson&facets=project%2C
A "1" will be displayed with a JS alert box and the Content-Type is wrongly set to: text/html;
Expected behavior
Return of a correct Content Type like json or solr json.
The esg-search is handling this correctly (Content-Type: text/json;
) so it seems like the issue is within the metagrid backend service:
https://<esgf-instance>/esg-search/search?project=r%3Cs%3Eevqui%3Cscript%3Ealert(1)%3C%2fscript%3Ery328&offset=0&limit=10&type=Dataset&format=application%2Fsolr%2Bjson&facets=project%2C
This should be a trivial change to correct. Aside from "parlour tricks" of running some Javascript in your own browser, are there specific security risks from this that an attacker could use? (that said, this is so trivial I'm inclined to patch at the LLNL production deployment. )
We have a patch included in the latest update.
Thanks for the fast fix! I am not to deep into that topic, but combined with a JS exploit and hidden in a redirect/link this may be a real problem/point of attack.
My "double tap" workaround for my Nginx rev. proxy if someone has no time to update in the near future:
# After proxy_pass ...
proxy_hide_header Content-Type;
types { } default_type "text/json";
add_header Content-Type "text/json";