CSV Injection in Kibana 6.6.1 Upto Latest version 7.5.2
Dear reader,
Few days before I was testing Kibana in my organization which is using kibana version 6.6.1, while testing I was able to find a csv injection in dashboard tab, there was No CVE or any other information about this specific vulnerability, So I have reported this issue to Kibana which will be fixed soon as a security hardening feature.
Let's start with the POC of this vulnerability.
10. You are back to dashboard graphical view click on 3dots button on top of the graphical box which you edit and click on INSPECT.
Few days before I was testing Kibana in my organization which is using kibana version 6.6.1, while testing I was able to find a csv injection in dashboard tab, there was No CVE or any other information about this specific vulnerability, So I have reported this issue to Kibana which will be fixed soon as a security hardening feature.
Let's start with the POC of this vulnerability.
Below are the steps to reproduce.
1. Large number of the Kibana portal on internet is open and has no authentication and can be exploited by this injection.
2. Click on Dashboard tab and select any dashboard from the list. I would suggest to select the dashboard which has gauge visualization type as shown in below screenshot.
5. It will open a options box click on edit visualization
6. It will open the edit page click on any blue play button in front of any metric.
6. It will open the edit page click on any blue play button in front of any metric.
7. Here you can edit the metric information; we will be exploiting the custom Label.
8. In custom Label field enter your csv injection payload e.g. @SUM(1+1)*cmd|' /c calc'!A0.
10. You are back to dashboard graphical view click on 3dots button on top of the graphical box which you edit and click on INSPECT.
12. If you open the downloaded csv, it will open the calculator.
Comments
Post a Comment