Glances XML-RPC Server CORS Misconfiguration Vulnerability Allowing Cross-Origin System Information Disclosure

A vulnerability exists in the Glances XML-RPC server, active in versions through 4.5.1, where the server improperly handles Cross-Origin Resource Sharing (CORS) headers. The server sends 'Access-Control-Allow-Origin: *' with every HTTP response, allowing any website to make cross-origin requests. This issue arises because the XML-RPC handler does not validate the Content-Type header. An attacker-controlled webpage can send a CORS 'simple request' (POST with Content-Type: text/plain) containing a valid XML-RPC payload. The server processes the request without a preflight check, executing the XML-RPC method calls and returning sensitive system data. The vulnerability is exacerbated by the server's default configuration, which has no authentication, making it easy for attackers to exploit.

Impact

Exploitation of this vulnerability allows for the cross-origin theft of comprehensive system monitoring data. This includes the hostname, operating system version, IP addresses, detailed statistics on CPU, memory, disk, and network usage, as well as the complete process list with command line arguments. Such command lines often contain sensitive information like tokens, passwords, or internal file paths.

Reproduction

To reproduce this vulnerability, start the Glances XML-RPC server on a machine with a vulnerable version (prior to 4.5.3). Once the server is running, host an HTML file or use a browser console to send a POST request to the server's XML-RPC endpoint. The request should include a valid XML-RPC payload and be marked with the Content-Type 'text/plain'. The server will respond with the system data, which can be accessed by the attacker's JavaScript due to the wildcard CORS header.

Remediation

Users can update to Glances version 4.5.3 or later, where this vulnerability has been patched.