blackbox_exporter
blackbox_exporter copied to clipboard
prometheus
Potential XSS issue
When using /probe with ?debug=true, we do not encode the response we receive. Therefore, if a user has Internet Explorer with disabled security, it would ignore the MIME Text we send (text/plain) and could render the HTML of the target page.
Encoding to HTML would prevent this but break it for other users.
This is a low security issue because the users need to have disable security.
Additionally, we are documenting already that we allow arbitrary endpoints in our security docs:
https://prometheus.io/docs/operating/security/
There are also exporters such as the SNMP and Blackbox exporters that take their targets from URL parameters. Thus anyone with HTTP access to these exporters can make them send requests to arbitrary endpoints.
I have made this bug public because it seems that the security issue is not at the Blackbox Exporter level, which sends the correct encoding, but that it is a security issue in the browsers that do not respect this.
