Drawgantt cross-scripting security issue

[matthieu637]

Hello,
The IT team of my university informed us that there is a problem on the following page:
drawgantt.php?start=1552960201&stop=1553219401&filter=all clusters&timezone=Asia/Shangai&resource_base=cpuset";prompt(23206)//&scale=10

I changed our firewall rules but it might also interest you (we are using the version 2.5.8~rc8-1.).

[npf]

Hello Matthieu,
Did you success to demonstrate the exploit ?

[matthieu637]

Hello,
In the link I sent the JS only prompt 23206. I guess it's enough to demonstrate the exploit.
The server isn't directly targeted by this kind of exploit but users are (and ultimately the server can be in danger if the target is an admin).

For instance, a hacker could send the following link (https://intranet.grid5000.fr/oar/Nancy/drawgantt-svg/drawgantt.php?start=1552960201&stop=1553219401&filter=all%20clusters&timezone=Asia/Shangai&resource_base=cpuset%22;prompt(23206)//&scale=10) to a user of grid5000 with a malicious JS script that ask for password and upload it somewhere.
The victim will see the "https://intranet.grid5000.fr/" and could think "ok it's safe", but it's not.

[npf]

Thanks, Matthieu.
(apparently I misread the url you proposed above, your example is indeed demonstrative !).