CVE-2019-3911: Reflected XSS
Numerous XSS flaws exists in LabKey Server Community Edition prior to 18.3.0. For all query-* functions in the query viewers with the exception of query-selectAllRows, the “query.sort” parameter in particular does not appear to be validated or sanitized in any way. Since this parameter is reflected in the output to the user and interpreted by the browser, a cross site scripting attack becomes possible. This allows an attacker to run arbitrary code within the context of the user’s browser.
These attacks are possible both authenticated on any project as well as unauthenticated via extra “__r#” paths that appear to have limited functionality, but are available in a default installation.
Below are examples of attacks that are triggered without authentication and then with authentication. The attack consists of including an image tag in the query.sort parameter with an invalid source. When the browser attempts to load this image, it will trigger an error, which cause the “alert(1)” javascript to run.
http://[host]/labkey/__r2/query-printRows.view?schemaName=ListManager&query.queryName=ListManager&query.sort=Nameelk5q%3Cimg%20src%3da%20onerror%3dalert(1)%3Ezp59r&query.containerFilterName=CurrentAndSubfolders&query.selectionKey=%24ListManager%24ListManager%24%24query&query.showRows=ALL
http://[host]/labkey/test_project/query-printRows.view?schemaName=ListManager&query.queryName=ListManager&query.sort=Name%3Cimg%20src%3da%20onerror%3dalert(1)%3E
This also affects parameters in other modules, such as Announcements, which are easily triggered unauthenticated as well via the Announcement.sort parameter or any other parameters that are reflected in responses.
CVE-2019-3912: Open Redirects
Open redirects via returnUrl exist throughout LabKey Server. The __r paths appear to be the easiest to manipulate. An attacker may utilize these to redirect users to a location controlled by the attacker themselves.
GET /labkey/__r1/login-login.view?returnUrl=http://evil.tld HTTP/1.1
Host: [host]
Accept-Encoding: gzip, deflateAccept: */*Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://[host]/labkey/login-login.view?returnUrl=%2Flabkey%2F__r1%2Fadmin-createFolder.view%3F
Cookie: X-LABKEY-CSRF=00ccaab3e5fccc4fd306acb09fedc936;
JSESSIONID=30E2500105179B0415819804D11A36E7
CVE-2019-3913: Logic Flaw in Network Drive Mapping Functionality
When attempting to map a network drive, a user is able to manipulate the arguments of the “net use” command due to improper sanitation of the supplied values, and simply abuse logic of the mapping utility itself. Note that admin access to the web interface is required for this vulnerability. The vulnerable code exists within labkey/server/api/src/org/labkey/api/util/NetworkDrive.java.
The vulnerable function can be found below:
public String mount(char driveChar) throws InterruptedException, IOException
{
unmount(driveChar);
StringBuilder sb = new StringBuilder();
sb.append("net use ");
sb.append(driveChar);
sb.append(": ");
sb.append(getPath());
sb.append(" ");
if (getPassword() != null && !"".equals(getPassword().trim()))
{
sb.append(getPassword());
}
if (getUser() != null && !"".equals(getUser().trim()))
{
sb.append(" /USER:");
sb.append(getUser());
}
String connCommand = sb.toString();
Process p = Runtime.getRuntime().exec(connCommand);
As an example proof of concept, notice how the mount command always attempts to run “unmount()” at the start of any “mount()” operation. This means that a user is able to supply any valid drive letter and the application (running with elevated privileges on the host) will end the connection regardless of whether or not the rest of the mapping command is correct.