Reflected Cross Site Scripting in Resque Scheduler

[trung512]

Exploit Title: Reflected Cross Site Scripting in Resque Scheduler

Date: 21/10/2022

Exploit Author: Trungvm of VietSunshine Cyber Security Services

Vendor Homepage: http://resque.github.io/

Tested version: v1.27.4

Description:

Resque Scheduler version 1.27.4 is affected by an Cross-site scripting vulnerability. A remote attacker could inject javascript code to the "{schedule_job}" or "args" parameter in /resque/delayed/jobs/{schedule_job}?args={args_id} to execute javascript at client side.

Steps to reproduce:

An attacker sends a draft URL https://[IP]/resque/delayed/jobs/{schedule_job}?args={args_id} to a victim. When an authenticated victim opens a URL, XSS will be triggered.

Payload example:

Ex1: https://[IP]/resque/delayed/jobs/%3Csvg%20onload=alert(document.domain)
Ex2: https://[IP/resque/delayed/jobs/EventEmailSalesTeamBefore48hrsJob?args=[%2249213%3Cimg+src=x+onerror=alert(document.domain)%3E%22]

POC

[jchristman]

Tested the Proofs of Concept from above and they work on a minimal, fresh install of Resque and Resque-Scheduler. The problem is not limited to version 1.27.4.

[PatrickTulskie]

This is fixed in resque-scheduler 4.10.2

Relevant PRs:
#780
#783

Thank you for reporting. A security advisory should be coming out shortly for this issue.

[nevans]

@PatrickTulskie Could you double-check the version numbers (both affected and patched) on GHSA-9hmq-fm33-x4xx? They are currently 2.10.x, but I think they should be 4.10.x, right? (Thanks!)

[PatrickTulskie]

@PatrickTulskie Could you double-check the version numbers (both affected and patched) on GHSA-9hmq-fm33-x4xx? They are currently 2.10.x, but I think they should be 4.10.x, right? (Thanks!)

You're 100% right. Thank you for the catch. I just fixed it.

[jchristman]

Thanks for the patch! Security Advisory is nicely detailed also.