<p><a href="https://github.com/areynold"><img src="https://avatars.githubusercontent.com/u/755312?" align="left" width="96" height="96" hspace="10" style="max-width:100%;"></a> <strong>Issue by <a href="https://github.com/areynold">areynold</a></strong><br><em>Monday Sep 09, 2013 at 15:42 GMT</em><br><em>Originally opened as <a href="https://github.com/opentechinstitute/luci-commotion-apps/issues/12" class="issue-link" title="Stored XSS in local application URL (High)">opentechinstitute/luci-commotion-apps#12</a></em></p>
<hr><p>The Commotion node web interface allows anonymous (unauthenticated) users of the node to add local application URLs using Application Portal. Before checking the application URL passed in ipaddr parameter is sanitized as described in issue <a href="https://github.com/opentechinstitute/luci-commotion/pull/10" class="issue-link" title="added dhcp timeout form field to meshconfig cbi page">#10</a>, namely the protocol and path parts are stripped out from the URL to perform port scan. When the port scan is successful, application is added to the pool and is later visible to other node users. Optionally administrator can approve the application on admin/commotion/apps page.</p>
<p>It is possible to inject javascript code as an application URL, such that it will still pass the port scanning check.</p>
<p>This can be used e.g. to trick Node administrator into clicking on application link and taking over CSRF token and session ID to hijack administrative session. As original form to add application does not require authentication or Anti CSRF tokens, the attack can be effectively performed from the Internet by enticing Commotion node<br>
users to visit a certain malicious page.</p>
<p>Originally reported in WRT-01-007</p>
<p style="font-size:small;-webkit-text-size-adjust:none;color:#666;">—<br>Reply to this email directly or <a href="https://github.com/opentechinstitute/luci-commotion/issues/330">view it on GitHub</a>.<img alt="" height="1" src="https://github.com/notifications/beacon/3074564__eyJzY29wZSI6Ik5ld3NpZXM6QmVhY29uIiwiZXhwaXJlcyI6MTcxODczMjk1NiwiZGF0YSI6eyJpZCI6MzQ5ODEyMjl9fQ==--5115a426ebac6910be1dc569ec7d871d08d5d1d9.gif" width="1" /></p>