Open EunhoKim98 opened 3 weeks ago
The hacking demonstration is version 0.8.18, but I also succeeded in that attack in version 0.8.20.
[filtering code] function filterHtmlSchema(data) { return data.filter(item => { const schema = item.schema; return !schema || !schema.hasOwnProperty("text/html"); }); }
I think the html code should be cleaned and filtered on the server side. I use jsoup in java with a whitelist for this purpose. For PHP there are similar extensions and libraries.
For your example, you could also use F12 and inject an alert without any summernote. The attack should not be reflected but of course you can inject anything in your browser by yourself.
Checklist
Steps to reproduce
Step1. Click on the "Insert Image" button within the Summernote functionality.
Step2. Select an arbitrary image and insert it.
Step3. Click on the "Code View" button.
Step4. Attempt an XSS attack by manipulating the code of the inserted image.
Step5. Confirm that the Base64-encoded XSS attack code is indeed stored and operational, demonstrating its functionality.
Expected behavior
[Expected behavior]
I expected that upon following the outlined steps, the Summernote functionality would insert the selected image as intended. Additionally, I anticipated that the Code View feature would allow for the manipulation of the inserted image's code. However, I did not expect the system to accept and execute the Base64-encoded XSS attack code, as this would indicate a vulnerability in the application's security measures.
Current behavior
[Current behavior]
After following the specified steps, the Summernote functionality successfully inserts the selected image into the editor. When switching to Code View and attempting to manipulate the code of the inserted image with Base64-encoded XSS attack code, the application does not prevent the insertion or execution of the malicious code. This behavior was observed in version 0.8.18 during my demonstration. Furthermore, similar findings were confirmed in a different environment running version 0.8.20, indicating that the vulnerability persists across multiple versions. This poses a serious security risk as it allows for potential exploitation of cross-site scripting vulnerabilities.
https://github.com/summernote/summernote/assets/100998394/52f1e94b-d9e1-4f10-91cc-05e015b77a21
Minimal example reproducing the issue