Skip to content
This repository has been archived by the owner on Nov 21, 2024. It is now read-only.

Remote code execution vulnerability with XHTML-IM enabled #498

Open
arcriley opened this issue Jan 1, 2017 · 18 comments
Open

Remote code execution vulnerability with XHTML-IM enabled #498

arcriley opened this issue Jan 1, 2017 · 18 comments

Comments

@arcriley
Copy link

arcriley commented Jan 1, 2017

Candy lacks a proper HTML sanitizer allowing remote javascript code execution which can be used to send spam from other user's accounts, steal account credentials, or exploit browser vulnerabilities.

This hack was done with a simple img onload="" to send a message via Candy's own API. It could just have easily made everyone's clients send their login credentials to the room.

screenshot from 2016-12-31 23-09-01

@benlangfeld
Copy link
Member

It would have been more appropriate to disclose this privately before posting it publicly.

I'll look into solutions when I can. In the meantime we're now in a slightly awkward position. If anyone else has a ready fix, PRs would be greatly appreciated.

@jdc20181
Copy link

jdc20181 commented Jan 1, 2017 via email

@arcriley
Copy link
Author

arcriley commented Jan 1, 2017

I would have sent it to your security list if there was one.

I believe the correct patch would be informing users that XHTML-IM should be disabled and removing support for it entirely in the next release. It is simply too difficult to sanitize XHTML-IM correctly, and several modern clients (such as Conversations) has come to this same conclusion.

Consider if you spend the time to write a clean-tree sanitizer; walk through the incoming message node by node, and when valid nodes are found pass the supported attributes to a function which re-creates that node in your clean tree. All someone would need to do to attack this is send an img src="javascript:" or something similar, and each time this is discovered you'd have to go back to make your sanitizer check for something extra. There's no winning this game.

There's also a privacy issue img elements; if I want to discover the IP address of another user all I would need to do is send an image to them privately through a MUC service and check the HTTP server logs for which IP was used to access it. Their IP address reveals their geographic region, with the help of 3rd party lookup services it can show some of their Internet history, or it could be used to launch a ddos attack.

@jdc20181
Copy link

jdc20181 commented Jan 1, 2017 via email

@arcriley
Copy link
Author

arcriley commented Jan 1, 2017

DDoS attacks are primarily executed against servers because individual users rarely have their IP addresses exposed like this, but they used to happen on IRC against individual users all the time (and are much easier to accomplish given the limited bandwidth many users have). What changed to stop this is most IRC servers started masking user hostnames/IPs.

@jdc20181
Copy link

jdc20181 commented Jan 1, 2017 via email

@jdc20181
Copy link

jdc20181 commented Jan 2, 2017

If I worked on a PR and somehow get Something Like this integrated would this help? I am trying to figure out a easy way to add a hotfix. As it seems like its a easy fix. I also suggest adding your own PR with the Security message. Write so no one is alarmed but proceed with caution. and it is reccomended you have xhtml-im disabled.

@attritionorg
Copy link

This ticket is full of win! Candy Dev, where do you explicitly say where security issues should be reported? (security isn't mentioned in GitHub readme, or your .io page). Bug reporter, XSS is not RCE, at all, in any way (although, bonus points for the Super Troopers image in your XSS PoC). In the mean time, please continue with this disclosure... =)

@benlangfeld
Copy link
Member

@attritionorg We don't have an explicit security disclosure process, that's our failure and I will fix it. In the absence of something explicit, emailing the maintainer directly would be a reasonable assumption to make. Instead I now have this public disclosure to scramble after like a headless chicken without any advance warning.

@arcriley
Copy link
Author

arcriley commented Jan 2, 2017

This issue was discovered publicly by one of our Google Code-in students, who was writing a plugin for Candy, but used an onclick="" from the sender side. This led to a discussion as to why this wasn't a good solution, and moreso, the security implications of javascript even being allowed.

If you'd like help addressing this we have 2-3 students who are extremely familiar with Candy who would love to clean this up.

It would be great to get you back into the XSF, applications for Q1 2017 are now open.

@benlangfeld
Copy link
Member

If your team has time to prepare a solution, that would be much appreciated! The time I have available to work on Candy is unfortunately very limited since I don't actively use it any more.

@jdc20181
Copy link

jdc20181 commented Jan 2, 2017 via email

@attritionorg
Copy link

Was this ever fixed? There a link to the commit etc?

@benlangfeld
Copy link
Member

No-one has yet proposed a fix.

@arcriley
Copy link
Author

arcriley commented Jul 14, 2017 via email

@benlangfeld
Copy link
Member

Do you have a pull request?

@arcriley
Copy link
Author

arcriley commented Aug 1, 2017 via email

@benlangfeld
Copy link
Member

No.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants