Reflected XSS on Sidekiq through multiples endpoints via GET parameter "period" in sidekiq/sidekiq
Apr 2nd 2023
Reflected XSS attacks, also known as non-persistent attacks, occur when a malicious script is reflected off of a web application to the victim's browser.
Proof of Concept
There must have been a metrics during the default value of the period parameter.
You simply have to set the payload in the period parameter.
Example of URL with payload :
An XSS vulnerability on a Sidekiq admin panel can pose serious risks to the security and functionality of the system. In particular, this type of vulnerability can allow an attacker to execute malicious code within the context of the Sidekiq admin panel, which can potentially stop the process, leak all the metrics, and even remove the queue altogether.
Stopping the process is one of the most severe consequences of an XSS attack on Sidekiq, as it can lead to a complete halt of the system's operations. This can have significant implications for businesses or organizations that rely on Sidekiq to manage their background jobs and tasks. If the process is stopped, critical tasks such as sending emails, processing payments, or performing other time-sensitive functions can be disrupted, leading to potential losses of revenue or reputation.
Leaking all the metrics is another risk that can result from an XSS vulnerability on a Sidekiq admin panel. Metrics provide valuable information about the system's performance, and an attacker who gains access to this data can potentially use it to identify vulnerabilities or weaknesses in the system. This can lead to further attacks or exploitation, putting the system and its users at risk.
Removing the queue is yet another consequence of an XSS attack on Sidekiq. The queue is an essential component of Sidekiq, responsible for managing and prioritizing the background jobs and tasks. If an attacker can remove the queue, all the pending jobs and tasks will be lost, potentially leading to data loss or disruption of critical business processes.
In summary, an XSS vulnerability on a Sidekiq admin panel can have severe consequences, including stopping the process, leaking all the metrics, and removing the queue. It is essential for organizations to take proactive measures to mitigate these risks by implementing robust security measures, such as regularly updating software, configuring proper access controls, and implementing web application firewalls.
@admin, the affected version range published in the CVE should be >=7.0.4, <7.0.8. Not simply <7.0.8.
Issue introduced in this PR: https://github.com/sidekiq/sidekiq/pull/5694. Merged 2023-01-24 and released in 7.0.4.
Issue resolved in https://github.com/sidekiq/sidekiq/commit/458fdf74176a9881478c48dc5cf0269107b22214 and released in 7.0.8. Affected versions confirmed by maintainer in commit message.
We have updated the versions affected on the report and the CVE, as requested.