overdrive-diy / course-builder

Automatically exported from code.google.com/p/course-builder
0 stars 0 forks source link

[security] - multiple persistent XSSs #64

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
I reported multiple persistent XSS vulnerabilities to security@google.com, to 
which they responded I should file bug publicly since Google Course Builder 
allows Javascript execution in general.

While I realize Google Course Builder (GCB) allows Javascript in things like 
lesson bodies, questions, etc., the following  bugs are unintentional places 
that allow Javascript execution. The vulnerabilities cane be summed up as:
1. Dropdowns in Google Course Builder are built from things like question 
description, but are rendered unsanitized. While GCB allows JS in certain 
instances, I can't imagine it is intentional to allow JS execution in dropdown 
headings.
2. javascript: protocol allows for links when there is text specifically 
indicating only http:// or https:// should be allowed.

********************************************************************************
Persistent XSS in Dropdown - Add Question Group
********************************************************************************

1. Login to your Google Course Builder instance, e.g. 
https://subdomain.appspot.com

2. Either create a course, or navigate to a course you have permissions on. It 
will take you to a URL like:
https://subdomain.appspot.com/security_1_sessions/dashboard

3. Click 'Assets'

4. Under 'Question Bank', click 'Add Multiple Choice'

5. The 'description' field is where the injection happens, so fill out fields 
with these values:
Question - This is a question
Description - <img/src=a onerror=alert(document.domain)>
Answer - This is an answer

6. Click 'Save', should see a "Saved." banner appear.

7. Navigate back to Assets by clicking 'Assets' in the navigation bar.

8. Under 'Question Bank', click 'Add Question Group'. Or navigate to:
https://subdomain.appspot.com/security_1_sessions/dashboard?action=add_question_
group

9. Boom, injection occurs; should see an alert box containing the domain (in 
this example subdomain.appspot.com)

This might appear as a self-XSS, but the panel is shared by many users so 
injection of other users is possible; I tested that other admins of our Course 
Builder instance are also injectable.

********************************************************************************
Persistent XSS in Dropdown - Add Component Screen
********************************************************************************
Very similar to the one I first reported, but essentially we create a question
with a malicious description and the application later builds a drop down with
escaping the description. This instance is in the Add a Component widow

1. Login to your Google Course Builder instance, e.g.  
https://subdomain.appspot.com

2. Either create a course, or navigate to a course you have permissions on. It 
will take you to a URL like:
  https://subdomain.appspot.com/security_1_sessions/dashboard

3. Click 'Assets'

4. Under 'Question Bank', click 'Add Multiple Choice'

5. The 'description' field is where the injection happens, so fill out fields 
with these values:
Question - This is a question
Description - <img/src=a onerror=alert(document.domain)>
Answer - This is an answer

6. Click 'Save', should see a "Saved." banner appear.

7. Navigate to Outline via 'Outline' link in navbar

8. Create a Lesson by clicking 'Add Lesson'

9. Where Lesson Body is defined, click Rich Text

10. Choose 'Insert Item' option, that takes you to an 'Add a Component' screen

11. Under 'Component Type', select 'gcb:Question'.

12. Boom, injection occurs; should see an alert box containing the domain (in 
this example subdomain.appspot.com)

********************************************************************************
Persistent XSS via javascript protocol link
********************************************************************************
You can links to courses. Instructions indicate it should be limited to only
http or https, however you can define javascript proctol and thus execute
javascript.

1. Follow similar steps above to get into Course Builder dashboard.

2. Navigate to Outline via 'Outline' link in navbar

3. Click 'Add link'
  title: XSS
  link:  javascript:alert(document.domain)

4. Save Link and navigate back to Outline

5. Should see a link with the text 'XSS', clicking the link causes the 
Javascript to fire.

Original issue reported on code.google.com by rfletch....@gmail.com on 10 Sep 2014 at 3:35

GoogleCodeExporter commented 9 years ago
Hi,

Thank you very much for your detailed analysis and description on this.

We will not address this because although the scenarios you describe exist, 
they exist at a permission level of the Course Author who intentionally has 
broad powers (like a webmaster).  That is, even if these scenarios were closed 
on our side, the Course Author / Admin can create arbitrary new pages and 
create more vectors of his choosing.  

Students are protected from each other since they do not enjoy this permission 
level.  However, students can't be protected from a malicious Course Author, 
like unsuspecting users aren't protected from a malicious website (unless 
through third-party means).

Thanks again for taking the time!

Original comment by r...@google.com on 17 Oct 2014 at 5:12