0

zkau Cross Site Scripting (XSS) F5 firewall

asked 2021-01-26 02:00:36 +0800

jstz gravatar image jstz
1

updated 2021-01-26 11:03:01 +0800

cor3000 gravatar image cor3000
5673 2 7
ZK Team

Hi:

I've a problem with a call to upload files with zk 8.0.2.2 behind of F5 firewall, cause these call is ranking like a security violation:

Requested URL   [HTTPS] /[CONTEXT]/zkau
Security Policy /Common/POLICY_PCI
Virtual Server  /Common/TPVS_TEST_2019 
Request Status  Blocked 

Decoded Request <br>
POST /[CONTEXT]/zkau HTTP/1.1 <br>
Host: [URL] <br>
Connection: keep-alive <br>
Content-Length: 337 <br>
sec-ch-ua: "Google Chrome";v="87", " Not;A Brand";v="99", "Chromium";v="87" <br>
sec-ch-ua-mobile: ?0 <br>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 11_1_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 <br>
ZK-SID: 808 <br>
Content-Type: application/x-www-form-urlencoded;charset=UTF-8 <br>
Accept: */* <br>
Origin: https://[URL] <br>
Sec-Fetch-Site: same-origin <br>
Sec-Fetch-Mode: cors <br>
Sec-Fetch-Dest: empty <br>
Referer: https://[URL]/[CONTEXT]/[ZUL_PAGE].zul
Accept-Language: es-419,es;q=0.9
Cookie: JSESSIONID=23C26F76E36EA5F1A01C6428256AA42A; TS01d356d8=01037d2fb315cac4ce1e381dc75b97aa91631a14eed1f1bf062671439ab6eb311321cf929524a8e88a80a2c4a90e62eeb1ec89b1df429b2e737b8751213a5d26db1b8c7fb2; TS01038a28=01037d2fb3d792fc05ba4c32dd732b4a0312b54f64675106a38e3bada913cf058111af1bfefed111501f2238c1fdab84826bcff531

dtid=z_ppm&cmd_0=onAnchorPos&uuid_0=wXBQn&data_0={"top":128,"left":0}&cmd_1=onSelect&uuid_1=wXBQn&data_1={"items":["wXBQ_2"],"reference":"wXBQ_2","clearFirst":false,"selectAll":false,"pageX":207,"pageY":293,"which":1,"x":149,"y":174}

Violation Details <br>
Attack signature detected [1] <br>
Detected Keyword    cmd_1=onSelect <br>
Attack Signature    ID200000 <br>
Name                    onselect... (Parameter) <br>
Context             Parameter (detected in Form Data) <br>
Parameter Level         Global <br>
Actual Parameter Name   cmd_1 <br>
Wildcard Parameter Name * <br>
Parameter Value     onSelect

can you help me?

delete flag offensive retag edit

Comments

Hi:

Thank you, the violation details are:

Violation Details

Attack signature detected [1]

Detected Keyword: cmd_1=onSelect

Attack Signature: ID 200001034 Name onselect... (Parameter) Context: Parameter (detected in Form Data) Actual Parameter Name: cmd_1 Wildcard Parameter Name: *

jstz ( 2021-01-27 04:07:25 +0800 )edit

Parameter Value: onSelect Applied Blocking Settings: Block Alarm Learn

The violation occurs where I try to choose a file to upload to the server.

jstz ( 2021-01-27 04:10:48 +0800 )edit

Thank you for your comments.

One additional question, the parameters cmd0, cmd1, etc, always been used, that is, in previous versions?

Thank you so much.

jstz ( 2021-02-03 03:32:26 +0800 )edit

yes as long as I've been working with ZK (~8years) this was the case, I think at least since ZK 5, e.g. you can verify that live on https://zkfiddle.org/ down to version 6.5.8.1

cor3000 ( 2021-02-03 09:26:35 +0800 )edit

here the related source in case you want need proof for your security guys https://github.com/zkoss/zk/blame/816ef760377f33d245d0b401e8593881b071af7b/zk/src/archive/web/js/zk/au.js

cor3000 ( 2021-02-03 09:28:50 +0800 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2021-01-26 11:16:12 +0800

cor3000 gravatar image cor3000
5673 2 7
ZK Team

updated 2021-01-26 11:18:21 +0800

Btw your request doesn't indicate any file upload operation.

The request looks correct from a ZK perspective, the onSelect event is a valid event for a component like a combobox or listbox.

I can't comment on the F5 Firewall, I assume it needs some configuration. however the Attack Signature ID200000 didn't give me any search results so I can't comment on that.

link publish delete flag offensive edit
0

answered 2021-01-27 10:10:24 +0800

cor3000 gravatar image cor3000
5673 2 7
ZK Team

Detected Keyword: cmd_1=onSelect

Attack Signature: ID 200001034 Name onselect... (Parameter) Context: Parameter (detected in Form Data) Actual Parameter Name: cmd_1 Wildcard Parameter Name: *

If that's the parameter the firewall is complaining about -> then you'll have to disable rule, or add an exception for the parameters needed by ZK. ZK's AU Engine needs a variable number of request parameter, sequenced like cmd_0, cmd_1, cmd_2 ... (also data_X and uuid_X) to allow multiple events to be sent within a single request to the server.

There's no way to disable/change this easily. You have to allow this in your firewall.

An alternative could be to switch to websockets.

link publish delete flag offensive edit
Your answer
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow
1 follower

RSS

Stats

Asked: 2021-01-26 02:00:36 +0800

Seen: 12 times

Last updated: Jan 27

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More