Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sanitize "work details" field of add book UI #6533

Closed
mekarpeles opened this issue May 11, 2022 · 1 comment · Fixed by #6543
Closed

Sanitize "work details" field of add book UI #6533

mekarpeles opened this issue May 11, 2022 · 1 comment · Fixed by #6543
Labels
Lead: @cdrini Issues overseen by Drini (Staff: Team Lead & Solr, Library Explorer, i18n) [managed] Priority: 2 Important, as time permits. [managed] Theme: Security Type: Bug Something isn't working. [managed]
Milestone
Sprint 2022-05

Comments

@mekarpeles
Copy link
Member

Description

Module: Openlibrary
Vulnerability: Stored XSS in Editor
Versions: deploy-2021-12-22

Vulnerability Description:
The "Openlibrary" application is vulnerable to Stored XSS. A text editor named "How would you describe
this book" allows any user to store malicious scripts while creating a new book. When an admin user
navigates to recent community edits and edit the book XSS will be triggered.

Vulnerable GitHub Versions:
deploy-2016-07-06 to deploy-2021-12-22

Vulnerable Code:
https://github.com/internetarchive/openlibrary/blob/deploy-2021-12-22/openlibrary/plugins/openli
brary/js/markdown-editor/index.js#L8

PoC Details:

  1. Go to the application (http://localhost:8080/) and login with “Account A”
    (userbot@example.com:admin123).

  2. Go to More option and click on Add a Book. Then fill up all the input fields and create a book.

  3. Go to “work details” and insert the XSS payload in the text editor ("How would you describe
    this book") and click on save.

  1. Go to private window and login with admin privileged user credentials
    (openlibrary@example.com: admin123)

  2. Navigate to “Recent community edits” from more section and click on the recent post

  3. Now click on “Edit” and XSS will be triggered when the work details page is displayed.

CVSS 3.1 Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSS 3.1 score: 5.4 (Medium)

CWE List:
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Solution

We should likely sanitize the work details fields to safely scrub markup
@mekarpeles mekarpeles added Type: Bug Something isn't working. [managed] Priority: 2 Important, as time permits. [managed] Lead: @cdrini Issues overseen by Drini (Staff: Team Lead & Solr, Library Explorer, i18n) [managed] Theme: Security labels May 11, 2022
@mekarpeles mekarpeles mentioned this issue May 11, 2022
Closed
@mekarpeles
Copy link
Member Author

@cdrini and I triaged and were able to repro in a very specific case of ?m=edit using images

@mekarpeles mekarpeles added this to the Active Sprint milestone May 12, 2022
This was referenced May 12, 2022
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Lead: @cdrini Issues overseen by Drini (Staff: Team Lead & Solr, Library Explorer, i18n) [managed] Priority: 2 Important, as time permits. [managed] Theme: Security Type: Bug Something isn't working. [managed]
Projects
None yet
Milestone
Sprint 2022-05
Development

Successfully merging a pull request may close this issue.

Update wmd vendor to fix XSS cdrini/openlibrary
1 participant
@mekarpeles