webssh
webssh copied to clipboard
Published
20 hours ago •
huashengdun
huashengdun
XSS injection in webssh hostname field
There is a XSS injection attack possible against the hostname field of webssh. For example if webssh is port 443 of the local machine
https://localhost/?hostname=%3Cscript%3Ealert(%221%22)%3C/script%3E
will demonstrate the existence of the attack.
The patch
--- static/js/main.js.orig 2024-03-11 17:12:37.270301908 +0000
+++ static/js/main.js 2024-03-11 18:31:04.497099056 +0000
@@ -325,7 +325,7 @@
function log_status(text, to_populate) {
console.log(text);
- status.html(text.split('\n').join('<br/>'));
+ status.html(text.replace(/&/, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"').replace(/'/g, ''').split('\n').join('</br>'));
if (to_populate && validated_form_data) {
populate_form(validated_form_data);
will fix the problem. Can't use "status.text" to replace "status.html" as we're adding "</br>"'s to the text