We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Open Redirect via deskDomain in jgraph/drawio

Valid

Reported on

Jun 29th 2023

Description

This vulnerability occurs because the desired domain value can be inserted into the A tag through deskDomain manipulation.

    if (window.location.hash != null && window.location.hash.substring(0, 9) == '#_TICKETS')
    {
        try
        {
            var temp = JSON.parse(decodeURIComponent(
                window.location.hash.substring(9)));
            
            if (temp != null && temp.ticketsConfig != null)
            {
                config = temp.ticketsConfig;
                configure();
                ui.fileLoaded(new LocalFile(ui, ui.emptyDiagramXml, this.defaultFilename, true));
                ui.editor.setStatus('Drag tickets from <a href="' + mxUtils.htmlEntities(deskDomain) +
                    '/a/tickets/filters/all_tickets" target="_blank">' +
                    mxUtils.htmlEntities(deskDomain) + '</a>');
            }
        }
        catch (e)
        {
            console.error(e);
        }
    }

The code above can set the config using the anchor value.

    function configure()
    {
        deskDomain = 'https://' + config.deskDomain + '.freshdesk.com';
        deskApiKey = config.deskApiKey;
        
        deskTypes = config.deskTypes || deskTypes;
        deskStatus = config.deskStatus || deskStatus;
        deskStatusWidth = {};

        // Precomputes text widths for custom ticket status
        var div = document.createElement('div');
        div.style.fontFamily = 'Arial,Helvetica';
        div.style.visibility = 'hidden';
        div.style.position = 'absolute';
        div.style.fontSize = '11px';
        
        document.body.appendChild(div);
        
        for (var key in deskStatus)
        {
            div.innerText = '';
            mxUtils.write(div, deskStatus[key]);
            deskStatusWidth[key] = div.clientWidth + 4;
        }

        document.body.removeChild(div);
    };

Creates a URL based on the deskDomain value of the configuration value passed from the configure() function. Afterwards, the value of the deskDomain created in this way is inserted as the value of the href attribute of the a tag and added to the DOM.

Proof of Concept

1. https://app.diagrams.net/?ui=min&p=tickets#_TICKETS{"ticketsConfig":{"deskApiKey":"google.com/","deskDomain":"google.com/"}}
2. And click the button: `Drag tickets From`

Impact

Open redirection attacks are most commonly used to support phishing attacks, or redirect users to malicious websites.

We are processing your report and will contact the jgraph/drawio team within 24 hours. 3 months ago
David Benson
3 months ago

Maintainer

Thanks for the report. How is the effort on system integrity low is this case? You're claiming an attacker can access or modify data using this attack, please could you explain how?

Pocas
3 months ago

Researcher

I am so sorry. I think that this seems to be close to availability or confidentiality. Can you set one of the two security factors to Low?🤔

David Benson
3 months ago

Maintainer

What is the effect on availability or confidentiality?

David Benson modified the Severity from Medium (4.3) to None (0) 3 months ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
David Benson validated this vulnerability 3 months ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Pocas
3 months ago

Researcher

when will it pathce?

David Benson marked this as fixed in 21.6.1 with commit c82454 3 months ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
David Benson published this vulnerability 3 months ago
to join this conversation