Closed samwcyo closed 6 years ago
<span class="media image" data-type="image" data-url="http://google.com/#"><script>alert(document.cookie+document.domain)</script>.jpg" title="Open Image"><a class="open"><i class="fa fa-chevron-right"></i></a></span>
When using the client via https://kiwiirc.com/nextclient/ I'm additionally able to just do http://example.com/#"><script>...
v.s. http://example.com/#"><script>.jpg
.
Awesome, nice catch! Fixed in https://github.com/prawnsalad/KiwiIRC/commit/c56f7405b74e26cd719be6d6fc581f39dd29aac4
Swift gzpatch, nice work!
Overview
When sending an image via IRC (anything with a .jpg, .png, etc, extension) it will offer to render the image for you with a side button to expand the image. Since the server does not actually send a request to the image to verify whether or not it is an image, the only thing it's checking for is the extension. You can use a "
#
" to supply an XSS payload then append a.jpg
to make it apply the image functionality. The extension content is not sanitized and is therefore vulnerable to cross site scripting.Steps to Reproduce
blackout.xmpp.land
http://google.com/#"><script>alert(document.cookie+document.domain)</script>.jpg
Impact
Send messages on behalf of other users, standard XSS disclosure of cookies/browsing information.