Headline
CVE-2022-23544: Server-Side Request Forgery in Metersphere leads to Cross-Site Scripting
MeterSphere is a one-stop open source continuous testing platform, covering test management, interface testing, UI testing and performance testing. Versions prior to 2.5.0 are subject to a Server-Side Request Forgery that leads to Cross-Site Scripting. A Server-Side request forgery in IssueProxyResourceService::getMdImageByUrl allows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere’s origin by a victim of a reflected XSS. This vulnerability has been fixed in v2.5.0. There are no known workarounds.
Summary
A Server-Side request forgery in IssueProxyResourceService::getMdImageByUrl allows an attacker to access internal resources, as well as executing JavaScript code in the context of Metersphere’s origin by a victim of a reflected XSS.
Details
Metersphere’s IssueProxyResourceController loads a /md/get/url endpoint passing a user-controlled url GET parameter (1) to getMdImageByUrl (2).
// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/test-track/backend/src/main/java/io/metersphere/controller/IssueProxyResourceController.java @RestController @RequestMapping(value = “/resource”) public class IssueProxyResourceController { @Resource IssueProxyResourceService issueProxyResourceService; @GetMapping(value = “/md/get/url”) public ResponseEntity<byte[]> getFileByUrl(@RequestParam (“url”) String url, @RequestParam (value = "platform", required = false) String platform, // 1 @RequestParam (“project_id”) String projectId, @RequestParam (“workspace_id”) String workspaceId) { return issueProxyResourceService.getMdImageByUrl(url, platform, projectId, workspaceId); // 2 } }
getMdImageByUrl then passes url to RestTemplate’s exchange method in 3, which will make a request and return the contents of url.
// https://github.com/metersphere/metersphere/blob/165ceb70edca4c9a712aeb6b8e882270074f0736/test-track/backend/src/main/java/io/metersphere/service/wapper/IssueProxyResourceService.java#L32 public ResponseEntity<byte[]> getMdImageByUrl(String url, String platform, String projectId, String workspaceId) { if (url.contains(“md/get/url”)) { MSException.throwException(Translator.get(“invalid_parameter”)); } … return restTemplate.exchange(url, HttpMethod.GET, null, byte[].class); // 3 }
PoC
curl -X GET ‘http://127.0.0.1:8081/resource/md/get/url?url=https://securitylab.github.com’
Patches
The vulnerability has been fixed in v2.5.0.
- d0f95b5: Restrict the path used by RestTemplate.
Workarounds
It is recommended to upgrade the version to v2.5.0.
For more information
If you have any questions or comments about this advisory, please open an issue.