Ajenti Stored XSS Vulnerability Through Log Files

Hi

Today I decided to test server management applications. While I was searching these kind of applications on google I came across with Ajenti which is most beautiful and effective one. It been developed with Python and CoffeeScript

Let me show you what and how I have found. 

Terminal Access Through Ajenti

Ajenti provides access to your linux server’s terminal through web browser. Thus you can execute any commands  as a root and retrieve results of executed commands.

Ajenti Terminal

Let me show how Ajenti handles executed command’s results and how render it.

Following codes grabbed from /ajenti:static/resources.js files.

Please have look at line line 15 and 25 .

Ajenti takes div by “term” id and append line that came from server side by html() . As we know, Using user controlled variable uin html() function of jquery cause to XSS vulnerability.

Attack Vector

As a linux admin we usually read log files. In this scenario I assume that user can log in FTP service with credentials. FTP services logging failed attempt.

Following output grabbed from Vsftp service.

You can see our payload located in log file !

Step 1 : Attacker try to log in FTP service with following username and password

USERNAME : <svg onload=alert(document.cookie)>

PASSWORD : Foo

Step 2 : This login attempt will be failed. Ftp service write username and password into the log file.

Step 3 : If sys admin read log file with Ajenti web terminal, xss payload will be executed.

ajenti xss

Timeline

10 October 2014 17:55 – Vulnerability Discovered During Code Review

10 October 2014 18:03 – Test cast and PoC.

10 October 2014 19:00 – Write up published.

10 October 2014 19:10 – Get in touched with vendor ( https://github.com/Eugeny/ajenti/issues/602 )

10 October 2014 20:29 – Vulnerability fixed . ( https://github.com/Eugeny/ajenti/commit/d94680990a9f89d7b164354ac43fedc3d650f154 )