Cross-site Scripting (XSS) - Stored in thoughtbot/administrate

Valid

Reported on

Jun 16th 2021


ūüí• BUG

Stored xss using unsanitize url

ūüí• IMPACT

There is no url scheme sanitization, allow to provide javascript protocol in url which cause xss

ūüí• PAYLOAD

javascript:alert(document.domain)

ūüí• STEP TO REPRODUCE

tested in demo version https://administrate-demo.herokuapp.com/admin.
1. Plz check this 1 minute video to reproduce https://drive.google.com/file/d/1Kq0b0fHdm8pvDyjuxVUTUOkePppvnChG/view?usp=sharing

SUGGESTED FIX

first validate url starts with https:// or http:// or ftp:// etc and block javascript: protocol

Z-Old
a year ago

Admin


Hey ranjit-git, I've emailed the maintainers for and am waiting to hear back. Good job!

A thoughtbot/administrate maintainer
a year ago

Maintainer


We implemented a fix for this in https://github.com/thoughtbot/administrate/pull/2003, which sanitizes the field on the Demo apps (it's been deployed to both of those too).

We limited the fix to just the demo app, as it's really up to the end user how they use the library. There are enough cases where you might wish to use protocols other than http/https and so we can't dictate in that regard. Additionally, the Demo apps reset every day (otherwise they would fill with spam), so, similarly, the risk is low.

But thanks for opening this!

A thoughtbot/administrate maintainer validated this vulnerability a year ago
ranjit-git has been awarded the disclosure bounty
The fix bounty is now up for grabs
A thoughtbot/administrate maintainer confirmed that a fix has been merged on e1baea a year ago
The fix bounty has been dropped
Z-Old
a year ago

Admin


Thanks for responding to this so swiftly! May I ask why you wished not to claim the fix bounty reward? Your feedback would be much appreciated ūüôŹ

to join this conversation