Community
Participate
Working Groups
The researchers at Sonatype Inc. have found multiple security vulnerabilities in the current release of Hudson. Please let us know how to responsibly disclose this information. We searched for documentation on how to properly do this but could not find anything for security related issues. We did find the following wiki but the link given returned a 404. http://wiki.hudson-ci.org/display/HUDSON/Security+Advisories
Thanks for reporting. I marked this bug as "Committer-only group for handling security advisories in a closed fashion". So you can put the details in this issue itself.
The first issue we have found is an open redirect weakness in the workspace viewer in the current Hudson release (3.3.3 at the time of this writing). The following URLs will redirect to www.sonatype.com: http://localhost:8081/job/test/ws/fooBar.html?path=http://www.sonatype.com http://localhost:8081/job/test/ws/fooBar.html?pattern=http://www.sonatype.com Note: The file, in this case "fooBar.html", does not need to exist on the system for the redirect to work. However, the attacker would need to know the name of a valid job, in this case "test", on the server in order to craft the URL. Protocol relative URLs work, see following example. http://localhost:8081/job/test/ws/fooBar.html?path=//www.sonatype.com http://localhost:8081/job/test/ws/fooBar.html?pattern=//www.sonatype.com The weakness is caused by the method serveFile() (http://git.eclipse.org/c/hudson/org.eclipse.hudson.core.git/tree/hudson-core/src/main/java/hudson/model/DirectoryBrowserSupport.java#n120) in the DirectoryBrowserSupport class which does not validate the values passed to it via the path and pattern URL parameters. We used a default install of Hudson 3.3.3 by starting it with the java -jar command. The steps taken were: - Downloaded the war from http://www.eclipse.org/downloads/download.php?file=/hudson/war/hudson-3.3.3.war - Started Hudson via the command: java -jar hudson-3.3.3.war --httpPort=8081 - Verified Hudson was running. - Did no plugin installations. - Created a new job called "test". - Did NO configurations on the screen that follows creating a new job. - Had the job run the build process so that the workspace was created. - Entered the following URL into Iceweasel and hit enter. -- http://localhost:8081/job/test/ws/fooBar.html?path=//www.sonatype.com This resulted in me being taken to www.sonatype.com. ------------------ The second vulnerability we want to report is a XSS in the workspace viewer. This was tested on the same setup as before. We then changed the workspace to use a custom workspace which in our case was the desktop where we created a html file called PoC.html with the line "<script>alert(1)</script>". Then we had the job build again and navigated to the workspace. From there we clicked the view button for the file. Then we removed the /*view*/ string from the url and hit enter. The script executed. Both issues noted here were also tested with deploying the war on a default install of Tomcat 8.0.9 and were successful as well. Best regards, Adam Cazzolla & Ben Bleiberg of Sonatype Inc.
Thanks for reporting the security issues. We will fix them as soon as possible.
There is also a second open redirect in the 'from' parameter of the authentication functionality. This was replicated in 3.3.3. Request: -------- POST /j_spring_security_check HTTP/1.1 Host: localhost:8081 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 Iceweasel/31.8.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Referer: http://localhost:8081/login?from=http://google.com Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 68 j_username=ben&j_password=ben&from=http%3A%2F%2Fgoogle.com&json=init Response: --------- HTTP/1.1 302 Found Date: Tue, 24 May 2016 20:22:46 GMT Set-Cookie: JSESSIONID=1llyohj7c5l0i1pd7dgnnwyzxw;Path=/ Expires: Thu, 01 Jan 1970 00:00:00 GMT Location: http://google.com Content-Length: 0 Server: Jetty(9.2.10.v20150310)
Has this been addressed? This has been marked "committer-only" for a very long time, it's past time to disclose. Unless there is good reason to not disclose, I'll remove the flag on my next pass.
The Eclipse Hudson project has been terminated and archived.
