{"id":17724,"date":"2022-01-31T17:33:17","date_gmt":"2022-01-31T16:33:17","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=17724"},"modified":"2022-02-01T10:57:21","modified_gmt":"2022-02-01T09:57:21","slug":"usd-2021-0023","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2021-0023\/","title":{"rendered":"usd-2021-0023"},"content":{"rendered":"\n\n[et_pb_section fb_built=\"1\" _builder_version=\"4.9.4\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.9.4\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

usd-2021-0023 | Grafana<\/h1>\n

Advisory ID<\/strong>: usd-2021-0023
Affected Product<\/strong>: Grafana
Affected Version<\/strong>: < v8.1.3
Vulnerability Type<\/strong>: CWE-20: Improper Input Validation (https:\/\/cwe.mitre.org\/data\/definitions\/20.html)
Security Risk<\/strong>: Low
Vendor URL<\/strong>: https:\/\/grafana.com\/\u00a0<\/a>
Vendor Status<\/strong>: Fixed<\/p>\n

<\/span><\/p>\n

Description<\/h3>\n

Grafana before v8.1.3 is vulnerable to Stylesheet injections that could be used to launch Scriptless Attacks<\/a>.<\/p>\n

Scriptless Attacks rely on the injection of untrusted stylesheets into a web application. By loading malicious stylesheets, an attacker can potentially disclose sensitive data.<\/p>\n

Grafana allowed users to customize the appearance of the application by choosing an UI theme<\/em>. In doing so, the application accepts arbitrary values as theme parameters and embeds the user controlled contents within an HTML link tag without sufficient sanitization.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

Note: the setup that was analyzed consisted of multiple applications that were deployed to different paths of the same domain (usd.de\/a\/, usd.de\/b\/, ...).<\/em><\/p>\n

A benign request to set the UI theme<\/em>\u00a0looks as follows:<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]

PUT \/monitoring\/api\/user\/preferences HTTP\/2
Host: usd.de
Cookie: [REDACTED]
[...]<\/p>\n

{
\"homeDashboardId\":1,
\"theme\":\"dark\",
\"timezone\":\"\"
}<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

As the theme<\/strong>\u00a0parameter is not sufficently sanitized, with the following request, any stylesheet that can be found on the webserver can be referenced:<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]

PUT \/monitoring\/api\/user\/preferences HTTP\/2
Host: usd.de
Cookie: [REDACTED]
[...]<\/p>\n

{
\"homeDashboardId\":1,
\"theme\":\"\u2215<\/span>..\u2215<\/span>..\u2215<\/span>..\u2215<\/span>..\u2215<\/span>..\u2215<\/span>..\/usd-api\/doc\/swagger-ui\/swagger-ui.css#\",
\"timezone\":\"\"
}<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]

In the following, Grafana uses the theme<\/strong>\u00a0without further sanitization:<\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.9.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]

<link rel=\"stylesheet\" href=\"public\/build\/grafana.\/..\u2215<\/span>..\u2215<\/span>..\u2215<\/span>..\u2215<\/span>..\u2215<\/span>..\/usd-api\/doc\/swagger-ui\/swagger-ui.css#.e45e7ed64ba6056a33a4.css\" \/><\/p>[\/et_pb_text][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]

The screenshot below indicates that the stylesheet is loaded:<\/p>[\/et_pb_text][et_pb_image src=\"https:\/\/herolab.usd.de\/wp-content\/uploads\/sites\/9\/2022\/01\/css-injection-grafana.png\" title_text=\"css-injection-grafana\" _builder_version=\"4.13.1\" _module_preset=\"default\" global_colors_info=\"{}\"][\/et_pb_image][et_pb_text _builder_version=\"4.13.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]

\n
\n

Fix<\/h3>\n

It is recommended to consider all user input to the application as potentially malicious. All input to the application should be verified and if necessary replaced. Meta characters should be treated with care. It is recommended to use whitelisting wherever possible.<\/p>\n

<\/h3>\n

References<\/h3>\n