search

uclaacm / TeachLAFrontend

🌱 The frontend for Teach LA's online IDE, designed to teach kids how to code!
https://editor.uclaacm.com
MIT License
20 stars 39 forks source link

Arbitrary Same-Origin Stored XSS on React + HTML Outputs #1082

Open bliutech opened 1 year ago

bliutech commented 1 year ago

Initially disclosed to @mizlan privately. Opening this issue for easier tracking and documentation.

Vulnerability

On https://editor.uclaacm.com, there is an arbitrary Same-Origin Stored XSS for outputs of the editor specifically for both React & HTML. The issue arrises from lack of sandboxing of the output while using srcdoc causing the embedded content to be on the same origin as the editor (source code). The impact could be that an adversary is able to share a page with a payload which could exfiltrate private data about a user or lead to arbitrary writes or downloads.

POC

React: image

HTML: image

Fix

The solution to this is to introduce the sandbox property to the output iframe. This can be done in the following source code with a behavior of sandbox="allow-scripts allow-modals". This would allow many of the current features to be maintained while allowing resources to be isolated by the Same-Origin Policy.

image
mizlan commented 1 year ago

What are some tests I can do after a fix to ensure I've resolved the problem? @bliutech

Is it enough to check the document.domain property?

bliutech commented 1 year ago

Yes. If the origins are not the same, then the Same-Origin Policy applies which should address this issue. 👍

bliutech commented 11 months ago

Update. CVE-2023-42267 is reserved for this.