BUG

Hiperlink injection in email

SUMMURY

There is no character length limit in user fullname . So, user can set fullname to large number character and also can put link url .

DETAILS

1. goto admin account profile and change fullname to bellow

Hi, You have been invited to getoutline . If you are  existing user then login to http://attacker.com/?login=true .
If not then goto http://attacker.com/?invite=true&id=xyz  and setup with your account.Then  login with your new password . Ignore this mail if already done .

2. Now invite a user called user-B as viewer role . Now user-B received a mail like bellow .



Here user-B think its a real email and its from outline .so, victim will trust it and victim will login or signup into attacker site.
Then attacker get the victim password or some other token .

I see getoutline does not have password authentication . But attacker can steal other type token or mislead the users.

My suggestion is to limit the fullname character limit and dont allow hiperlink in fullname

REFERENCES

here is few hackerone report similar to it https://hackerone.com/reports/950180
https://hackerone.com/reports/864751
https://hackerone.com/reports/843421
https://hackerone.com/reports/164833
https://hackerone.com/reports/158554

Impact

hyperlink injection in fullname allow to confuse user and steal victim password