RunestoneInteractive / RunestoneServer

Interactive books for computer science and mathematics
http://runestoneinteractive.org
Other
575 stars 503 forks source link

XSS Bug (Possible Zero-Day Vulnerability) #2035

Closed Endothermic-Dragon closed 1 year ago

Endothermic-Dragon commented 1 year ago

My username on Runestone is "Endothermic-Dragon".

I was doing some java exercises for my AP CS A class (https://runestone.academy/ns/books/published/HHS-CSA-2022-2023-2/Unit6-Arrays/topic-6-1-array-basics.html), and I noticed that raw HTML was being displayed. This is a sign of possible XSS, so I tried injecting some javascript code (""), and it worked without any sort of filter or sanitation.

A possible exploitation of this is capture a user's cookies by sending it to an web endpoint. My teacher has informed me that they (1) can view and run all of her students' code and (2) check for code functionality and don't read through the code in detail before running. Using this information, I could theoretically launch an attack against them with a particularly long assignment, where I simply hide this vulnerable code somewhere in there. I could also grab her IP using a similar technique by checking the origin of the request and extrapolate her location. I would have further tested this theory, but have not obtained the consent of my teacher to do so.

If I had to fix this, I would either use DOMPurify to strip any JS or just use "element.innerText" to display the server response rather than "element.innerHTML". If execution is absolutely necessary, I would do this server-side in an appropriately isolated environment.

bhoffman0 commented 1 year ago

Yes, you are right. We were aware of this, but no one got around to fixing it. I like your ideas for fixing this! Runestone is open source,. Do you want to try fixing it and do a pull request?

github-actions[bot] commented 1 year ago

Stale issue message