-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS in Blazegraph workbench #144
Comments
lucaswerkmeister
pushed a commit
to lucaswerkmeister/database
that referenced
this issue
Jul 16, 2019
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
TL;DR: apply #145
The Blazegraph workbench, the default web UI of Blazegraph, doesn鈥檛 HTML-escape results. If you run a query like
then the embedded JavaScript will run:
This means that an attacker who can to some extent control the content of a Blazegraph database (for example, by editing some upstream data storage that Blazegraph is automatically synchronized with) may be able to gain full control over an administrator鈥檚 workbench if they can guess what queries the administrator is likely to run, or manipulate the administrator into running a certain query that will display the attacker鈥檚 malicious result.
For example, the attacker could set the label of a Wikidata item to something like
<script>fetch('/bigdata/namespace/wdq', { method: 'DELETE' })</script>
, then complain about a supposed data corruption issue on this item and hope the administrator will run some query likeDESCRIBE wd:[item ID]
in the workbench, bypassing whatever proxy usually protects Blazegraph against such requests.I reported this issue via email in accordance with the security policy months ago, but did not receive any response (as detailed in BLZG-9163). To give other Blazegraph users a chance of protecting themselves against the issue, I am now reporting it publicly, along with the fix we implemented for it at Wikimedia, which may be found in #145.
The text was updated successfully, but these errors were encountered: