CLP-01-015 Persistent XSS on Index Page via Direct Login Favicon (Critical) Similar to the issue described in CLP-01-014, a persistent XSS can be triggered using the Direct Login feature. Clipperz attempts to load the favicon of the linked website and display its URL inside the src attribute of an IMG element. An attacker can cause the bookmarklet to deliver a maliciously prepared URL that, in conjunction with the favicon display, leads to an XSS attack. Note that this attack is capable of executing arbitrary attacker controlled JavaScript right after the victim logged in, because the vulnerable element is being shown on the index page. It is further possible to create a malicious page that will fill the bookmarklet?s textarea with arbitrary content. The victim would have no way to detect that something was injected and will willingly copy & paste it into the clippers application?s card creator form. Steps to reproduce: Copy malicious JSON into card editor for ?Direct Login? Create the card Logout Log in again Attacker?s JavaScript executes Example JSON to inject the payload: {"page": {"title": ""}, "form": {"attributes": {"action": "javascript://\"onload=alert(1)//", "method": null}, "inputs": [{"type": "text", "name": "username", "value": ""}, {"type": "password", "name": "password", "value": ""}]}, "version": "0.2.3"} Affected Markup in Clipperz application:
unnamed record | show It must be ensured that any form of user controlled data is being filtered and encoded properly. It has shown, that the JSON processing for direct logins is a particularly vulnerable element of the Clipperz application and deserves special attention. We believe, that the bookmarklet is easily exposed to injection attacks and that the content of the textarea for direct login data is a dangerous and easy to exploit attack vector and needs to be treated as such by the Clipperz application upon processing its data. |