XSS via uploaded XML

Bug #1404117 reported by Kristina Hoeppner on 2014-12-19
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
High
Son Nguyen
1.10
High
Son Nguyen
1.8
High
Unassigned
1.9
High
Unassigned
15.04
High
Son Nguyen

Bug Description

Reported by Roman Mironov

Dear Sir/Madam,

I have found a security vulnerability and would like to disclose it to you.

An attacker can use this vulnerability to initiate stored Cross-Site scripting attacks on authenticated users.

Bug Description:
It is possible to upload .xml files with malicious code and then share them with users.

As proof of concept it was possible to share a file between accounts that redirects the user to google.com.

In order to reproduce this proof of concept please follow these steps:

Preconditions:

1) Ensure you have 2 accounts (user A and user B) that have access to each others Journal entries.

2) Create an .xml file that has the following line of code:

<script xmlns="http://www.w3.org/1999/xhtml">document.location='http://google.com';</script>

Steps to Reproduce:

1) Log-in as user A.

2) Navigate to /artefact/internal/index.php and select Journal on the Navigation block.

3) Press the 'New Entry' button.

4) Enter any Title and Entry text.

5) Add the previously created .xml file as an attachment and press 'Save Entry'.

6) Log-in as user B.

7) Navigate to user A profile page.

8) Find the previously created Journal entry and press the 'Download' button next to the .xml file name.

9) Observe that you are redirected to google.

CVE References

Son Nguyen (ngson2000) wrote :

We need filter out all malicious codes in XML file like we do for HTML.

Aaron Wells (u-aaronw) wrote :

Yeah, that seems to be the suggestion given by OWASP: https://www.owasp.org/index.php/OWASP_Periodic_Table_of_Vulnerabilities_-_XML_Injection

"The framework should provide safe libraries for constructing and manipulating XML documents that automatically encode all dynamic data. The framework should disallow any direct access to raw XML. "

Unfortunately HTMLPurifier doesn't really support cleaning XML (I mean, does XML have exactly the same stuff that needs to be cleaned out, as HTML does?).

Another option we could look at would be to add a "Content-Disposition: attachment" header to XML files. Currently we serve XML files without a Content-Disposition header, which tells the browser to display them in the browser window. And even for other file types that are unrecognized, we do "Content-Disposition: inline", which tells it to try to display the file in the browser window and download it if that's not possible. We should really be doing "Content-Disposition:attachment", which would tell the browser to download the file, and NOT display it in the window. This is especially true because the link reads "Download"!

Reviewed: https://reviews.mahara.org/4253
Committed: http://gitorious.org/mahara/mahara/commit/13428c09f5245a44b5623c4bcfd50768299a2e24
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.8_STABLE

commit 13428c09f5245a44b5623c4bcfd50768299a2e24
Author: Son Nguyen <email address hidden>
Date: Mon Jan 5 12:03:34 2015 +1300

Display cleaned content of XML file. Bug 1404117

Change-Id: I0dffc63f0ea10409c9ae18b9194a13a2287e0a7c
Signed-off-by: Son Nguyen <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4254
Committed: http://gitorious.org/mahara/mahara/commit/c91bac68f3921dec820464d63f98f12441f997ce
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.9_STABLE

commit c91bac68f3921dec820464d63f98f12441f997ce
Author: Son Nguyen <email address hidden>
Date: Mon Jan 5 12:03:34 2015 +1300

Display cleaned content of XML file. Bug 1404117

Change-Id: I0dffc63f0ea10409c9ae18b9194a13a2287e0a7c
Signed-off-by: Son Nguyen <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4255
Committed: http://gitorious.org/mahara/mahara/commit/f8a6c8aa14de3b13b07b8dfe3b2068031afe204e
Submitter: Robert Lyon (<email address hidden>)
Branch: 1.10_STABLE

commit f8a6c8aa14de3b13b07b8dfe3b2068031afe204e
Author: Son Nguyen <email address hidden>
Date: Mon Jan 5 12:03:34 2015 +1300

Display cleaned content of XML file. Bug 1404117

Change-Id: I0dffc63f0ea10409c9ae18b9194a13a2287e0a7c
Signed-off-by: Son Nguyen <email address hidden>

Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/4121
Committed: http://gitorious.org/mahara/mahara/commit/3cf591539c8ae51183ea45426345c9350798eb15
Submitter: Robert Lyon (<email address hidden>)
Branch: master

commit 3cf591539c8ae51183ea45426345c9350798eb15
Author: Son Nguyen <email address hidden>
Date: Mon Jan 5 12:03:34 2015 +1300

Display cleaned content of XML file. Bug 1404117

Change-Id: I0dffc63f0ea10409c9ae18b9194a13a2287e0a7c
Signed-off-by: Son Nguyen <email address hidden>

Robert Lyon (robertl-9) on 2015-02-09
information type: Private Security → Public Security
Robert Lyon (robertl-9) on 2015-04-17
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers