[Security Issue] Argument Injection

[zidingz]

Description

In this case, the attacker can specify the value that enters the program at get() in customizer.js at line 137, and this value is used to access a system resource at get() in customizer.js at line 142.

Explanation:

A resource injection issue occurs when the following two conditions are met:

An attacker can specify the identifier used to access a system resource.
For example, an attacker might be able to specify a port number to be used to connect to a network resource.

By specifying the resource, the attacker gains a capability that would not otherwise be permitted.
For example, the program may give the attacker the ability to transmit sensitive information to a third-party server.

PoC

$http.get(FILES.JSON_THEMES)
        .then(function (themeList) {
          var promises = [];
          var themes = {};
          angular.forEach(themeList.data, function(theme) {
            var tp = $http.get('/customizer/themes/' + theme + '.json');
            tp.then(function (response) {
              themes[theme] = response.data;
            });
            promises.push(tp);
          });

Impact

Attackers can control the resource identifier argument to get() at customizer.js line 142, which could enable them to access or modify otherwise protected system resources.

Location

ui-grid/misc/site/js/customizer.js

Line 142 in 4aa2cc5

var tp = $http.get('/customizer/themes/' + theme + '.json');