search

pawelmalak / snippet-box

Snippet Box is a simple self-hosted app for organizing your code snippets. It allows you to easily create, edit, browse and manage your snippets in various languages.
MIT License
977 stars 80 forks source link

security: XSS vulnerability (CVE-2023-23277) #57

Open go-compile opened 1 year ago

go-compile commented 1 year ago

XSS/Cross Site Scripting Vulnerability

Vulnerability: XSS Severity: VERY HIGH Image: pawelmalak/snippet-box:arm Digest: sha256:ba9245cc339d159588c76b33f0ae708f5c1af68a27f876561b8b84ed5b8ee288

Why this is a problem: Snippet-box doesn't have authentication, allowing anyone to perform this attack. Furthermore, if Snippet-box is running on a domain which is used by other services, e.g. Nextcloud, then an attacker could potentially be able to perform a lateral move via extracting local storage; obtaining authentication tokens. Alternatively, one could perform CSRF, even if "same site cookies" are enabled, depending on the service, account take over may be possible due to XSS on the same domain.

Proof of Concept

  1. Create new snippet.
  2. Set the snippet content to: 
    <h1>HTML is being rendered</h1>
<p style="color: red">WARNING XSS</p>
<script>alert("XSS")</script>
  3. Copy "raw url"
  4. Navigate within a browser

Result

image

Cause

The cause to this vulnerability due to the raw snippet route setting content-type to text/html.

Resolution

Follow both steps.

  1. Set content-type to text/plain.
  2. Set header X-Content-Type-Options: nosniff.

Responsible disclosure statement: I was unable to find emergency contact information for reporting security concerns in private, as a result this issue has been created.

schklom commented 1 year ago

This sounds like a job for a reverse-proxy.

go-compile commented 1 year ago

For the time being it may be an appropriate temporary patch, but certainly not a permanent one.