Defect #15560
closed
Added by egor homakov over 10 years ago.
Updated 4 months ago.
Description
example - http://www.redmine.org/boards/2/topics/quote/5682.js
all files that respond with JS with private data for GET requests are vulnerable to homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
in redmine we should remove:
attachments/destroy.js.erb members/create.js.erb
attachments/upload.js.erb members/destroy.js.erb
custom_fields/new.js.erb members/update.js.erb
groups/add_users.js.erb messages/quote.js.erb
groups/autocomplete_for_user.js.erb repositories/add_related_issue.js.erb
groups/destroy_membership.js.erb repositories/new.js.erb
groups/edit_membership.js.erb repositories/remove_related_issue.js.erb
groups/remove_user.js.erb users/destroy_membership.js.erb
issue_categories/create.js.erb users/edit_membership.js.erb
issue_categories/new.js.erb versions/create.js.erb
issue_relations/create.js.erb versions/new.js.erb
issue_relations/destroy.js.erb versions/status_by.js.erb
issues/bulk_edit.js.erb watchers/_set_watcher.js.erb
issues/update_form.js.erb watchers/append.js.erb
journals/edit.js.erb watchers/create.js.erb
journals/new.js.erb watchers/destroy.js.erb
journals/update.js.erb watchers/new.js.erb
members/autocomplete.js.erb wikis/edit.js.erb
- Status changed from New to Needs feedback
I'm not fond of RJS neither but I can't see how an attacker will get access to the private data without first getting access to an authenticated user loaded page?
For example, there's no sensible data exposed by the server in your example?
i gave a link to my blog post above: http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html
When redmine user visits 3rd party website, that website can include something like
<script src="http://www.redmine.org/boards/2/topics/quote/5682.js"></script> or iterate all comments, or any other GET-accessible actions (check the files I listed above, some of them suit).
Also he redefines
function $(){ return {val: function(){ console.log('LEAKED',arguments);}}};
document.write('<script src="http://www.redmine.org/boards/2/topics/quote/5682.js"></script>')
btw this route is has no CSRF protection
match 'sys/projects/:id/repository', :to => 'sys#create_project_repository', :via => :post
because no protect_from_forgery in SyScontroller
egor homakov wrote:
btw this route is has no CSRF protection
match 'sys/projects/:id/repository', :to => 'sys#create_project_repository', :via => :post
because no protect_from_forgery in SyScontroller
It's normal behavior, this controller is called for system task by passing a key as param.
I see, thanks.
i can't reproduce get 'watchers/new', :to => 'watchers#new'
but i think most of routes above work for admin users only. I don't have redmine installation to test, so quote-link is only example i have so far. Please check if there are other JS-responding GET routes, non-GET are fine.
- Related to Defect #17770: very simple fix: that causes many sites to break, and much confusion - incorrect use of .js suffix added
- Status changed from Needs feedback to Closed
- Resolution set to Fixed
This should be addressed for some time now with Rails' builtin XHR CSRF handling. The endpoints which return javascript all require that the request sets a X-Requested-With: XMLHttpRequest header. If such a header is not set in the request, the response is blocked by Rails' builtin ActionController::RequestForgeryProtection middleware.
Such a header is not (and can not) be set for "normal" included requests such as an inclusion of the resource in a <script> tag. It can only bet set by a JavaScript AJAX client (as is done by rails-ujs which is used by Redmine to requests these endpoints). Here, the clients are reqstricted by the same origin policy. As such, an external website can not request these endpoints via AJAX.
I believe it was, Egor, you who nudged Rails towards this solution in https://github.com/rails/rails/pull/13345 :)
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Toshi MARUYAMA 
Updated by