Static Code Injection in collectiveaccess/pawtucket2
Sep 30th 2021
This is with reference to another SSRF report I made (https://huntr.dev/bounties/43505ece-7d5e-44b8-a7a3-69bd42d0ad02/) in which the fix was to filter external src from images. Pawtucket2 makes use of the same code as Providence to filter HTML, however it does not include the new fix present in https://github.com/collectiveaccess/providence/commit/aaf573e2fcaaa5c5b52c61eaaa4d6a5ca3b247d9, allowing attackers to still inject an img with a src to external URL.
It is possible inject <img src="http://10.0.2.4"> as the name of a Lightbox, confirming that we still can inject html with external src.
HTML injection with img tags of external src is possible. It may be escalated to an SSRF with reference to the earlier report I made https://huntr.dev/bounties/43505ece-7d5e-44b8-a7a3-69bd42d0ad02/ provided the attacker can inject HTML into somwehere which will be rendered as PDF.
Copy this fix https://github.com/collectiveaccess/providence/commit/aaf573e2fcaaa5c5b52c61eaaa4d6a5ca3b247d9 to the below permalink.