From open-redirect to plugin-powered takeover
Based on the PoC shared by OX Security, the exploit leverages a clever combo of client-side path traversal and open-redirect mechanics in Grafana’s staticHandler, the component responsible for serving static files like HTML, CSS, JavaScript, and images from the server to the user’s browser.
A potential attack can have a crafted URL sent to the victim, which takes them to a malicious domain. Once there, users are tricked into loading an unsigned, rogue Grafana plugin without the attacker requiring any editor or admin rights.
Once the plugin loads, it runs attacker-controlled JavaScripts in the victim’s browser, potentially leading to session hijacks, credential theft, creation of admin logins, and modification of dashboards.
Additionally, a server-side request forgery (SSRF) escalation for full-read abuse is possible. “This vulnerability does not require editor permissions, and if anonymous access is enabled, the XSS will work. If the Grafana Image Renderer plugin is installed, it is possible to exploit the open redirect to achieve a full read SSRF,” the Grafana advisory added. Upgrading to fixed Grafana versions is recommended to completely mitigate the issue against N-day attacks.
