Cross Site Scripting vulnerability reported for opencaching.ro

[andrixnet]

As sysadmin for opencaching.ro I received a report from Open Bug Bounty about a discovered vulnerability on the site. Cited report can be found here: https://www.openbugbounty.org/reports/1930692/ Details about the web components are here: https://www.immuniweb.com/websec/?id=oRQG1uGV

Parts of the report that IMO are related to the code might be the following:

• jQuery 3.4.1 (CVE-2020-11022, CVE-2020-11023)
• missing headers: X-Frame-Options X-XSS-Protection X-Content-Type-Options (not sure if these should be application generated or server config outside .htaccess)
• content security policy (not sure if this header should be application generated or server config outside .htaccess)
• COOKIE: PHPSESSID The cookie is missing Secure, HttpOnly and SameSite flag, make sure it does not store sensitive information.
• COOKIE: oc-userData The cookie is missing Secure flag

Also there is mention of external content requests (these appear to be JS libraries). I have already expressed concern in another issue or comment flow about being dependent on external resources which could be easily included in the codeset.

It is likely that these affect all opencaching-pl OC servers.

Please help fix them before Scheduled Public Disclosure: Information 29 May, 2021 23:34 GMT.

Note: will also try to address other server configuration issues as reported. And document them for the benefit of all OC.

[kojoty]

a few quick comments:

• jQuery - of course we should upgrade to latest version
• cookies: - not sure if we want to have "secure" attrib. set - it means that cookie is send only over HTTPS - we need to be sure this is what we really want...
• COOKIE: PHPSESSID - yes we should set httponly + samesite
• X-Frame-Options - this prevents site to be displayed in frames - OC uses frames for mass logging - it breaks this function
• X-XSS-Protection, X-Content-Type-Options - is this really needed for now?

Also there is mention of external content requests (these appear to be JS libraries). I have already expressed concern in another issue or comment flow about being dependent on external resources which could be easily included in the codeset.

I think we have very limited usage of such things and the source of JS scripts seems to be trusted

[andrixnet]

Regarding secure attrib for cookies: AFAIK HTTP connections are still required to work to support some legacy OKAPI clients.

[andrixnet]

Proof oc concept (?):

POC :

*Domain: opencaching.ro

*parameter affected : https://www.opencaching.ro/UserAuthorization/login?email=1&password=&target=

*payload : "><img src=a onerror=prompt('xss');>

*link of xss vulnerable URL: https://www.opencaching.ro/UserAuthorization/login?email=1&password=&target=%22%3E%3Cimg%20src=a%20onerror=prompt(%27xss%27);%3E

[deg-pl]

Regarding secure attrib for cookies: AFAIK HTTP connections are still required to work to support some legacy OKAPI clients.

Does OKAPI use cookies??

[andrixnet]

@deg-pl I do not know

[andrixnet]

According to Wojtek Rygielski on OCPL techlist, this page https://opencaching.pl/viewcache.php?wp=OP28F9 contains another XSS demo. It works even without being logged in.

The problem on https://opencaching.pl/viewcache.php?wp=OP28F9 was that log entries allowed the user to write javascript source code that was either not removed or unescaped properly, thus becoming part of the webpage and fed to the browser for interpretation and execution.

  <div class="viewcache_log-content " id="log-content-1510793">
    <p><script>alert('XSS');</script></p><div><small>Ostatnio edytowany 2014-11-18 09:59:06 przez użytkownika wrygiel - w całości zmieniany 3 razy.</small></div>

  </div>

This page still shows XSS alert because the code stored as it was. I tried to write a new log entry with the same code. Written inline in the log entry form, it was properly escaped. Written in source code it was eliminated (by TinyMCE) before submission. So in the end it did not work.

Of course, one could manipulate and submit the post log entry form and submit directly manipulated form data, or submission via OKAPI(?). So relying on TinyMCE to do checking and escaping is definitely NOT enough.

Furthermore, the POC listed above https://github.com/opencaching/opencaching-pl/issues/2225#issuecomment-789794143 at this time yields the following error page: https://www.opencaching.ro/%22%3E%3Cimg%20src=a%20onerror=prompt('xss');%3E

[wrygiel]

The best practice is to always escape on output (after loading from the db), not on input (before saving). You should never trust what is saved, because - whatever piece of code has validated it in the past - this piece of code is old now, and possibly unsafe.

On Sat, Oct 16, 2021, 11:37 andrixnet @.***> wrote:

According to Wojtek Rygielski on OCPL techlist, this page https://opencaching.pl/viewcache.php?wp=OP28F9 contains another XSS demo. It works even without being logged in.

The problem on https://opencaching.pl/viewcache.php?wp=OP28F9 was that log entries allowed the user to write javascript source code that was either not removed or unescaped properly, thus becoming part of the webpage and fed to the browser for interpretation and execution.

Ostatnio edytowany 2014-11-18 09:59:06 przez użytkownika wrygiel - w całości zmieniany 3 razy.

This page still shows XSS alert because the code stored as it was. I tried to write a new log entry with the same code. Written inline in the log entry form, it was properly escaped. Written in source code it was eliminated (by TinyMCE) before submission. So in the end it did not work.

Of course, one could manipulate and submit the post log entry form and submit directly manipulated form data, or submission via OKAPI(?). So relying on TinyMCE to do checking and escaping is definitely NOT enough.

Furthermore, the POC listed above #2225 (comment) https://github.com/opencaching/opencaching-pl/issues/2225#issuecomment-789794143 at this time yields the following error page: https://www.opencaching.ro/%22%3E%3Cimg%20src=a%20onerror=prompt('xss');%3E

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/opencaching/opencaching-pl/issues/2225#issuecomment-944888313, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQRNV3FJQAC5C6VQGP7CHDUHFBWPANCNFSM4YPFQMIA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[wrygiel]

By "escape" I meant "sanitize". (Sorry, the two terms often get swapped in my head for some reason.)

On Sat, Oct 16, 2021, 11:59 Wojtek Rygielski @.***> wrote:

The best practice is to always escape on output (after loading from the db), not on input (before saving). You should never trust what is saved, because - whatever piece of code has validated it in the past - this piece of code is old now, and possibly unsafe.

On Sat, Oct 16, 2021, 11:37 andrixnet @.***> wrote:

According to Wojtek Rygielski on OCPL techlist, this page https://opencaching.pl/viewcache.php?wp=OP28F9 contains another XSS demo. It works even without being logged in.

The problem on https://opencaching.pl/viewcache.php?wp=OP28F9 was that log entries allowed the user to write javascript source code that was either not removed or unescaped properly, thus becoming part of the webpage and fed to the browser for interpretation and execution.

Ostatnio edytowany 2014-11-18 09:59:06 przez użytkownika wrygiel - w całości zmieniany 3 razy.

This page still shows XSS alert because the code stored as it was. I tried to write a new log entry with the same code. Written inline in the log entry form, it was properly escaped. Written in source code it was eliminated (by TinyMCE) before submission. So in the end it did not work.

Of course, one could manipulate and submit the post log entry form and submit directly manipulated form data, or submission via OKAPI(?). So relying on TinyMCE to do checking and escaping is definitely NOT enough.

Furthermore, the POC listed above #2225 (comment) https://github.com/opencaching/opencaching-pl/issues/2225#issuecomment-789794143 at this time yields the following error page:

https://www.opencaching.ro/%22%3E%3Cimg%20src=a%20onerror=prompt('xss');%3E

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/opencaching/opencaching-pl/issues/2225#issuecomment-944888313, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAQRNV3FJQAC5C6VQGP7CHDUHFBWPANCNFSM4YPFQMIA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.