RustFS Console Stored Cross-Site Scripting Vulnerability Leading to Administrative Account Takeover

A stored cross-site scripting vulnerability has been identified in the RustFS Console, prior to version 1.0.0-alpha.83. This vulnerability allows an attacker to execute arbitrary JavaScript within the management console. By circumventing the PDF preview logic, an attacker could steal administrator credentials from localStorage, resulting in full account takeover and system compromise. The issue arises from inadequate validation of response content types during file previews and a lack of origin separation between S3 object delivery and the management console.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, targeting system administrators using the RustFS Console. Successful exploitation leads to full account takeover, granting access to sensitive S3 credentials stored in localStorage. An attacker could use these credentials to perform any administrative actions, such as deleting data, creating backdoors, or downloading the entire filesystem via the S3 API.

Reproduction

To reproduce this vulnerability, upload a file named 'xss.pdf' to an S3 bucket, ensuring to set the 'Content-Type' metadata to 'text/html'. Once the file is uploaded, log into the RustFS Console as an administrator, navigate to the bucket containing the uploaded file, and click the 'Preview' button. This action will trigger the execution of the injected JavaScript, demonstrating access to the administrator's localStorage data.

Remediation

Users are advised to update to RustFS version 1.0.0-alpha.83 or later. Additionally, implementing a dedicated domain for data delivery that is separate from the console domain can help isolate user-uploaded content. Strict security headers, such as Content-Security-Policy and X-Content-Type-Options, should also be applied to enhance security.