| I would like to notify you about a possible security issue of Jenkins. When I access a project (job) in Jenkins, if I change the HTTP method in the request header from GET to DELETE (e.g., by using the ZAP proxy or via javascript), the project (job) will be deleted. This might enable attackers to provide crafted links to admin users. Is this a vulnerability or a valid behaviour for Jenkins? More in general, I observe that javascript may enable a malicious user to make administrators inadvertently perform privileged actions, if the malicious user can guess the action URL. The attack scenario is detailed in the following. You can rely on it to replicate the attack.
- Users: admin is an administrator (full permissions); user1 is a malicious user (attacker) who has the job build permission (NO delete job permission). - There are two available projects (jobs) on Jenkins with names: jobWithFileParam and job1. (jobWithFileParam was configured with a File Parameter). - user1 has prepared an html file containing a crafted link to access project “try1” with the HTTP DELETE method. This file is attached in this post (clickHere.html)
-
- Goal:* user1 intends to make admin inadvertently delete the project try1 through a crafted link that sends an HTTP DELETE request to the url “/job/try1” (NOT via “/job/try1/doDelete”).
1. user1 logs into the Jenkins system. 2. User1 clicks on the build button next to the jobWithFileParam job to open the interface for building projects. 3. User1 uploads the file “clickHere.html” using the browse button of the parameter for file upload, then clicks the “Build” button. 4. User1 waits until the building of jobWithFileParam finishes, then logs out. 5. Admin logs into the Jenkins system. 6. Admin visualizes the file clickHere.html through the following sequence of actions: a. access jobWithFileParam (job/jobWithFileParam), b. access last build of jobWithFileParam (job/jobWithFileParam/lastBuild/), c. access Parameters (/job/jobWithFileParam/lastBuild/parameters) d. In the area of Parameters, click on clickHere.html 7. Admin goes back to the main page of Jenkins, the project try1 disappeared. (All steps are demonstrated by attached screenshots) If you want to simply verify that the DELETE method deletes projects you can use the ZAP proxy as follows:
- Start ZAP proxy
- On a browser (configured to be connected to a local ZAP proxy), login into Jenkins with an administrator user.
- On ZAP proxy, enable Tools/Toggle Break on All Requests
- On the browser, click on the project try1 in the list of projects.
- On ZAP proxy (in the tab Break), change the method to DELETE, then click on the “Submit and step to next request or response” button.
- Back to the browser, the project try1 disappeared.
|
