-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permission escalation because user-uploaded html files can use session cookie #1719
Comments
I'm sorry to not understand your point. But I am not an expert and even less in security. A Solid Pod is a web server. As such should serve html files. You can use mashlib as a web app see https://solidos.github.io/mashlib/dist/browse.html
return Not Authenticated and do not display anything. I don't thing the script code is run
To my understanding DPOP authorization do not give access to the credentials in localStorage. |
I've tried to replicate it with CSS+mashlib, however it seems not exploitable there. A request there results with 401, my guess is because no authorization header is sent and CSS requires this. NSS on the other hand does not seem to require the authorization header, only the |
@bourgeoa Is there any further information I could provide to help resolving this issue? I understand that this is a bigger change and thus needs time, just want to be sure it's not taking more time than necessary because of missing information. |
My guess was wrong, the cookie is set in both ways on solidcommunity.net, so it is not cross-origin in the first place. So moving mashlib to a different origin does not help the problem. I've updated the original post and removed outdated comments. |
@Otto-AA Hello Otto. I think any MIME type that uses a DOM-style model can execute javascript, such as text/html, svg, xml, and definitely others I am unaware of. If you would like to help me understand what session cookie is doing versus authentications, and what sort of MIME types use a DOM, I can potentially work on having the Content-Disposition: attachment header set if any response type being sent is under those content types. If that is too difficult, if you could provide more information about the security flaws I can take a look at a change that may not break backwards compatibility. Edit: And if you can also perhaps point to the code snippet that is only using the session cookie as the authorization method in NSS. |
Hi @zg009 In general, I think there are two problems. (1) that NSS allows cookie authentication, so any html/etc file that is stored on the pod can make authenticated requests (this github issue). (2) that NSS (and CSS) do not restrict serving user-created html/etc files, so these can run in the browser under the pods origin (see solid/specification#514). It could be, that all problems of (1) are solved if (2) is addressed, I didn't think much about this yet. In other words, it could be, that we do not need to change/remove the cookie authentication if we implement some restriction on serving user-created html/etc files (eg adding the CSP sandbox header to all files). If this is the case, I think the priority would be to address (2), and not the cookie issue. To understand the impact it would have and which mechanism is suitable to address the issue. This is more of a general Solid issue and less NSS specific (thus the general issue in the specification repository).
Good point. From what I know, javascript is possible in Html and Svg. Xml does not work, but I guess XHtml also works 🤷.
I'm not sure if NSS itself relies on the cookie. Maybe it does so for account management (login, registration, account deletion if it has such). I think SolidOS relies on cookies to display iframes of html files. So if you have |
@Otto-AA I am making the assumption here that this flaw occurs only under the condition that Alice (victim) gave Eve (malicious actor) append access to her pod on NSS and Eve uploaded an file capable of injecting javascript which can abuse the session key authentication. Isolating all MIME types may be difficult, and there is some discussion I saw about rendering HTML and JS files being necessary for some things Solid should be used to achieve. I am not a session/cookie expert by any means, but it looks like disabling scripts running from HTML files would solve this issue, but overlaps with the fact you may want scripts to do a certain task for a non-malicious actor. Exfiltration itself isn't even the biggest issue since any method would work theoretically with owner-level authentication, and the resource can't be secured with extra cookies, so I'm pretty sure this is a strictly server-side issue. Can you think of any use cases where a user would be executing content in an HTML file uploaded by a malicious actor against their own Pod? Assuming this malicious actor only has append permissions. I am also assuming if a malicious actor has read-only permissions then this attack isn't feasible. But having write + append access has the same/worse outcome.
I've looked at some of the code itself and as far as account management and creation I have not run into the section which uses the cookie yet, as I've toyed around with the code myself some for fixing a couple of issues and pet projects, so I'll look further into it. |
Yes, at least Append is necessary. However, if I remember correctly, by default everybody has Append access to the inbox on NSS.
A server could simply add the CSP sandbox header to all files, regardless of their MIME type. For the files that can execute javascript (html, etc) it would put them into their own sandbox. For other files, it won't have an effect.
Yes, it's a good question what the usability impact would be when fixing (1) NSS cookies or (2) or same-site hosting of html/... files. For latter, there are some example usages mentioned in the main issue for this security issue: solid/specification#514
I'm not sure I understand what you mean with "use case" (for me, this means a way a user uses the application, not something connected to a malicious actor).
I wish you good luck at finding the usages :) However, to be honest I wouldn't spend too much time into this cookie issue, as it is likely solved by solid/specification#514 anyway. (For that, trying to understand the implications of the CSP Sandbox header for end-users would be good. We likely want to know which use cases exist, that make use of html/... content on the pod and would be broken with this, before implementing it). |
I've read the discussion at the specification you linked, and it looks like it is still in the works. However, I can create a branch of NSS as it is and add a middleware that will attach a CSP sandbox header on successful GET requests before they are sent. I'll also see if it breaks the test suite in any meaningful way, and potentially write tests that may break. I'll leave this open for now until the specification gets finalized, and then work from there. |
Edit: I've replaced localStorage from the initial comment with cookies, my initial idea that localStorage is the problem was wrong.
Edit 2: Updated whole issue to say it is not mashlib related, but only requires any app login
Description
When logging in, solidcommunity stores a session cookie (nssidp.sid) that can be used for authentication. For html files running on *.solidcommunity.net this cookie will be attached to the request. If a malicious user creates a html file on victim.solidcommunity.net and the victim is logged, opening this html file gives the attacker full access to the pod.
Exploit
Preconditions:
A simple exploit could look like this:
exploit.html could be similar to following (abusing read access to private resources):
Impact
The result is, that an app or webId can escalate their permissions to the level of the logged in user. Thus, giving anyone append permissions to one file gives them control over the whole pod.
The required user interactions are either:
Note that I would have expected the exploit would work even if the html file is hosted on another pod (evil.solidcommunity.net). However, it seems it sends the session cookie but results in 403 when accessing the private resources. For me this 403 is unexpected, but I guess the server checks the sender domain with regards to the session cookie.
Migitation
The problem arises, because NSS sets a session cookie on solidcommunity.net and serves user-generated html files on solidcommunity.net. This cookie is attached to requests to solidcommunity.net and subdomains.
The solutions I see currently are:
All of these are breaking changes.
Remarks
Related to: https://forum.solidproject.org/t/is-it-secure-for-pods-to-serve-html-files/6379/6 (about sandboxing / not serving html files)
The text was updated successfully, but these errors were encountered: