Closed huntr-helper closed 3 years ago
The cabot project is dead (inactive repository), but i hope they realize this is a serious vulnerability.. it is CVE-2020-7734, scored as 8.2 HIGH on https://nvd.nist.gov/vuln/detail/CVE-2020-7734
So @dbuxton or @frankh please do something and merge this important security fix
Also see https://snyk.io/vuln/SNYK-PYTHON-CABOT-609862 for more details. They were right to say "There is no fixed version for cabot" under remediation.
With all sources combined, the public knownledge of the specifics of this vulnerability is enough to make exploitation by a lot of people possible. So it's not safe for it to be unpatched this long.
Merge it and deploy a new release or hotfix
Thanks for the feedback. Exploitation of this requires admin access, so we did not prioritize it, but as the fix is simple and uncontroversial it's now merged.
Nice..
The last release 0.11.7
dates back to 2017, and there's a lot of later commits in master.
How about making a new release that will include this security patch and also serve not to let all of those other updates go to waste? @dbuxton
https://huntr.dev/users/alromh87 has fixed the Stored Cross-site Scripting (XSS) vulnerability π¨. alromh87 has been awarded $25 for fixing the vulnerability through the huntr bug bounty program π΅. Think you could fix a vulnerability like this?
Get involved at https://huntr.dev/
Q | A Version Affected | ALL Bug Fix | YES Original Pull Request | https://github.com/418sec/cabot/pull/1 Vulnerability README | https://github.com/418sec/huntr/blob/master/bounties/pip/cabot/1/README.md
User Comments:
π Metadata *
Bounty URL: https://www.huntr.dev/bounties/1-pypi-cabot/
βοΈ Description *
Executed Persistent stored XSS in cabot check settings, as well as the address field.
π» Technical Description *
Fixed by using builtin django autoescape and URLValidator
Altough Django has inbuilt protection agains XSS it was disabled for the test result.error by using
{% autoescape off %}
, just to be sure I wasn't breaking any needed functionality I inspected history to depict the porpouse of this changeOfending line was introduced in https://github.com/arachnys/cabot/commit/558f18c04e3927def5a9306b014488669006b68b#diff-480f9da2f76d81e98bfb4c99316b90c6R52
For allowing embeding links in the response https://github.com/arachnys/cabot/commit/558f18c04e3927def5a9306b014488669006b68b#diff-9ff30487dc763b21d6a7742d19eb2268R442
Function was removed a few commits later making the use of
{% autoescape off %}
unnecesaryAs an extra I added URLValidator in the Http test model
π Proof of Concept (PoC) *
<script>alert('Hi')</script>
Proof of Fix (PoF) *
After fix No code is executed for remote user
Fix will also handle previously stored offending endpoints with XSS
π User Acceptance Testing (UAT)
After fix functionality is unafected