CSP passby via js file in usememos/memos

Valid

Reported on

Dec 23rd 2022

Description

Hi,Maintainter You submitted a fix in the latest version 0.9.0 with commit c07b4a.But after many tests, I found that this is still not 100% safe.You have set a very simple csp , which can be bypassed.

Video link

link

https://drive.google.com/file/d/1glQfxLs6pZP6B87cYlIFf7LmLT9Z4oz5/view?usp=share_link

Steps

1.Create a js file named '123.js'.And the contents are as follows.

alert('/xss/')

2.Click the resource section to upload our js file.And we need to copy the path of the js file.For example,the path is

 https://demo.usememos.com/o/r/20/123.js.This path will be used in the following html file

3.Create a html file named 'hello.html'.And the contents are as follows.

Please note that the content of src is the second half path of the js file we just uploaded

<script src='../20/123.js'></script>     //The value of src depends on the path of the js file

4.Finally,preview the hello.html.

My suggestion is to use more secure csp.Or you have a better way.I hope we can make this project better.And the following are my suggestions.

Content-Security-Policy:
  object-src 'none';
  script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
  base-uri 'none';
  report-uri https://your-report-collector.example.com/

Impact

(1) To steal the administrator account or cookie, the intruder can log in to the background as an administrator. It enables intruders to manipulate background data maliciously, including reading, changing, adding and deleting some information.

(2) Stealing users' personal information or login accounts will pose a huge threat to the user security of the website. For example, pretend to be a user for various operations.

(3) The website hangs horses. First, embed the malicious attack code into the Web application. When the user browses the hanging horse page, the user's computer will be implanted with a Trojan horse.

(4) Send advertisements or spam messages. Attackers can use XSS vulnerabilities to plant advertisements or send spam, seriously affecting the normal use of users.

Occurrences

resource.go L268

Content-Security-Policy: object-src 'none'; script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:; base-uri 'none'; report-uri https://your-report-collector.example.com/

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

Christy__ modified the report

a year ago

We have contacted a member of the usememos/memos team and are waiting to hear back a year ago

Christy__ modified the report

a year ago

STEVEN validated this vulnerability a year ago

Christy__ has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

STEVEN marked this as fixed in 0.10.0 with commit 46c13a a year ago

STEVEN has been awarded the fix bounty

This vulnerability has been assigned a CVE

STEVEN published this vulnerability a year ago

resource.go#L268 has been validated

to join this conversation

We are processing your report and will contact the usememos/memos team within 24 hours. a year ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists a year ago

Christy__ modified the report

a year ago

We have contacted a member of the usememos/memos team and are waiting to hear back a year ago

Christy__ modified the report

a year ago

STEVEN validated this vulnerability a year ago

Christy__ has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

STEVEN marked this as fixed in 0.10.0 with commit 46c13a a year ago

STEVEN has been awarded the fix bounty

This vulnerability has been assigned a CVE

STEVEN published this vulnerability a year ago

resource.go#L268 has been validated

to join this conversation