Hiperlink injection in email in outline/outline
Jul 2nd 2022
Hiperlink injection in email
There is no character length limit in user
fullname . So, user can set fullname to large number character and also can put link url .
1. goto admin account profile and change
fullname to bellow
Hi, You have been invited to getoutline . If you are existing user then login to http://attacker.com/?login=true . If not then goto http://attacker.com/?invite=true&id=xyz and setup with your account.Then login with your new password . Ignore this mail if already done .
2. Now invite a user called
viewer role .
Now user-B received a mail like bellow .
Here user-B think its a real email and its from outline .so, victim will trust it and victim will login or signup into attacker site.
Then attacker get the victim password or some other token .
I see getoutline does not have password authentication . But attacker can steal other type token or mislead the users.
My suggestion is to limit the fullname character limit and dont allow hiperlink in fullname
here is few hackerone report similar to it
hyperlink injection in fullname allow to confuse user and steal victim password