Project

General

Profile

Actions

Defect #15560

closed

RJS leaking

Added by egor homakov almost 11 years ago. Updated 11 months ago.

Status:
Closed
Priority:
Urgent
Assignee:
-
Category:
Security
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

example - http://www.redmine.org/boards/2/topics/quote/5682.js

all files that respond with JS with private data for GET requests are vulnerable to homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html

in redmine we should remove:

attachments/destroy.js.erb members/create.js.erb
attachments/upload.js.erb members/destroy.js.erb
custom_fields/new.js.erb members/update.js.erb
groups/add_users.js.erb messages/quote.js.erb
groups/autocomplete_for_user.js.erb repositories/add_related_issue.js.erb
groups/destroy_membership.js.erb repositories/new.js.erb
groups/edit_membership.js.erb repositories/remove_related_issue.js.erb
groups/remove_user.js.erb users/destroy_membership.js.erb
issue_categories/create.js.erb users/edit_membership.js.erb
issue_categories/new.js.erb versions/create.js.erb
issue_relations/create.js.erb versions/new.js.erb
issue_relations/destroy.js.erb versions/status_by.js.erb
issues/bulk_edit.js.erb watchers/_set_watcher.js.erb
issues/update_form.js.erb watchers/append.js.erb
journals/edit.js.erb watchers/create.js.erb
journals/new.js.erb watchers/destroy.js.erb
journals/update.js.erb watchers/new.js.erb
members/autocomplete.js.erb wikis/edit.js.erb


Related issues

Related to Redmine - Defect #17770: very simple fix: that causes many sites to break, and much confusion - incorrect use of .js suffixNew

Actions
Actions #1

Updated by Etienne Massip almost 11 years ago

  • Status changed from New to Needs feedback

I'm not fond of RJS neither but I can't see how an attacker will get access to the private data without first getting access to an authenticated user loaded page?

Actions #2

Updated by Etienne Massip almost 11 years ago

For example, there's no sensible data exposed by the server in your example?

Actions #3

Updated by egor homakov almost 11 years ago

i gave a link to my blog post above: http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html

When redmine user visits 3rd party website, that website can include something like
<script src="http://www.redmine.org/boards/2/topics/quote/5682.js"></script> or iterate all comments, or any other GET-accessible actions (check the files I listed above, some of them suit).

Also he redefines

function $(){ return {val: function(){ console.log('LEAKED',arguments);}}};
document.write('<script src="http://www.redmine.org/boards/2/topics/quote/5682.js"></script>')

Actions #4

Updated by egor homakov almost 11 years ago

btw this route is has no CSRF protection

match 'sys/projects/:id/repository', :to => 'sys#create_project_repository', :via => :post

because no protect_from_forgery in SyScontroller

Actions #5

Updated by Etienne Massip almost 11 years ago

egor homakov wrote:

btw this route is has no CSRF protection

match 'sys/projects/:id/repository', :to => 'sys#create_project_repository', :via => :post

because no protect_from_forgery in SyScontroller

It's normal behavior, this controller is called for system task by passing a key as param.

Actions #6

Updated by egor homakov almost 11 years ago

I see, thanks.

i can't reproduce get 'watchers/new', :to => 'watchers#new'
but i think most of routes above work for admin users only. I don't have redmine installation to test, so quote-link is only example i have so far. Please check if there are other JS-responding GET routes, non-GET are fine.

Actions #7

Updated by Toshi MARUYAMA almost 7 years ago

  • Related to Defect #17770: very simple fix: that causes many sites to break, and much confusion - incorrect use of .js suffix added
Actions #8

Updated by Holger Just 11 months ago

  • Status changed from Needs feedback to Closed
  • Resolution set to Fixed

This should be addressed for some time now with Rails' builtin XHR CSRF handling. The endpoints which return javascript all require that the request sets a X-Requested-With: XMLHttpRequest header. If such a header is not set in the request, the response is blocked by Rails' builtin ActionController::RequestForgeryProtection middleware.

Such a header is not (and can not) be set for "normal" included requests such as an inclusion of the resource in a <script> tag. It can only bet set by a JavaScript AJAX client (as is done by rails-ujs which is used by Redmine to requests these endpoints). Here, the clients are reqstricted by the same origin policy. As such, an external website can not request these endpoints via AJAX.

I believe it was, Egor, you who nudged Rails towards this solution in https://github.com/rails/rails/pull/13345 :)

Actions

Also available in: Atom PDF