search

jcrodriguez-dis / vpl-jail-system

Execution/jail server for VPL
GNU General Public License v3.0
23 stars 22 forks source link

XSS vulnerability on VPL jail servers #62

Open stc40 opened 1 year ago

stc40 commented 1 year ago

Hello, we've had a report that the VPL jail server software is liable to a XSS attack. Although modern browsers' URL escaping behaviour generally makes it impossible to get special characters into the HTTP request, it is technically not impossible. We've had it reported on our own server (running 2.7.1), and this is also present on https://demojail.dis.ulpgc.es/

Description: The application is vulnerable to a cross site scripting attack. This occurs when user-generated data is included in a page without proper validation, which could allow an attacker to inject malicious scripts into the page viewed by other users.

Impact: Attackers can use XSS attacks to steal sensitive information such as passwords, cookies, or even inject malicious code into the page that can harm the users of the website.

step to reproduce: Request: GET /?cko5dsjd3z=1 HTTP/1.1 Host: ######## Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.99 Safari/537.36 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="108", "Chromium";v="108" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0

Response: HTTP/1.1 404 Not found Server: vpl-jail-system 2.7.1 Connection: close Content-Length: 123 Content-Type: text/html; chartype=UTF-8

Not found

Http GET: Url path not found '/?cko5dsjd3z=1'

Solution: The solution is to validate and sanitize all user-generated data before including it in the page. This can be done by using a library or function that removes any potentially harmful characters or scripts. Additionally, implementing a Content Security Policy (CSP) can help prevent XSS attacks by specifying which sources of content are allowed to be executed in the browser.

jcrodriguez-dis commented 5 months ago

Dear stc40,

Thank you for bringing this to our attention. Yes, you are correct that when a client makes a bad URL request, the server responds by echoing the malformed URL without HTML encoding. This issue will be addressed in the next release of VPL-Jail-server.

Please note that the Jail server is not a typical web server that serves content directly to users. Instead, it is designed so that content generated by one client is not shown to another.

Best regards, Juan Carlos.