search

prawnsalad / KiwiIRC

This is **DEPRECATED**! Please go to https://github.com/kiwiirc/kiwiirc
https://kiwiirc.com
GNU Affero General Public License v3.0
891 stars 277 forks source link

Security Issue - Stored XSS via message in image preview addon #946

Closed samwcyo closed 6 years ago

samwcyo commented 6 years ago

Overview

When sending an image via IRC (anything with a .jpg, .png, etc, extension) it will offer to render the image for you with a side button to expand the image. Since the server does not actually send a request to the image to verify whether or not it is an image, the only thing it's checking for is the extension. You can use a "#" to supply an XSS payload then append a .jpg to make it apply the image functionality. The extension content is not sanitized and is therefore vulnerable to cross site scripting.

Steps to Reproduce

  1. Visit blackout.xmpp.land
  2. Connect with any account
  3. Paste http://google.com/#"><script>alert(document.cookie+document.domain)</script>.jpg

Impact

Send messages on behalf of other users, standard XSS disclosure of cookies/browsing information.

samwcyo commented 6 years ago

Proof of Concept Image

Proof of Concept Image

Details

<span class="media image" data-type="image" data-url="http://google.com/#"><script>alert(document.cookie+document.domain)</script>.jpg" title="Open Image"&gt;<a class="open"><i class="fa fa-chevron-right"></i></a></span>
samwcyo commented 6 years ago

When using the client via https://kiwiirc.com/nextclient/ I'm additionally able to just do http://example.com/#"><script>... v.s. http://example.com/#"><script>.jpg.

prawnsalad commented 6 years ago

Awesome, nice catch! Fixed in https://github.com/prawnsalad/KiwiIRC/commit/c56f7405b74e26cd719be6d6fc581f39dd29aac4

LetUsFsck commented 6 years ago

Swift gzpatch, nice work!