Stored XSS and HTML injection from markdown in kiwitcms/kiwi

Valid

Reported on

Nov 2nd 2022


Description

Stored XSS, also known as persistent XSS, is the more damaging of the XSS. It occurs when a malicious script is injected directly into a vulnerable web application. Due to a sanitization problem it is possible to perform both a Stored XSS and an HTML injection. Thanks to this attack it is possible to disable the history page making it unusable (for example I created a transparent page above with an infinite redirect), or it is possible to create a stored XSS.

The problem is that the markdown input is sanitized in the TestPlan, but it is not sanitized by the history page. On the history page it will run.

Proof of Concept

1 - Insert one of the following payloads into a Test Plan.

2 - Go to the history

Stored XSS:

<a href="https://evil.com/users/signin" onmouseover="confirm(document.cookie)" style="position: fixed; top: 0; right: 0; width: 10000px; height: 10040px; opacity:0.00001;">foo</a>

Stored HTML Injection - Disable the history page:

<a href='https://evil.com/users/signin' style='position: fixed; top: 0; right: 0; width: 10000px; height: 10040px; opacity:0.00001;'>foo</a>

POC Video (Payload execution):

https://drive.google.com/file/d/1n7ZSrOOIb47vZro4ck2-hPRkzbSiX8CF/view?usp=sharing

Update:


I made a video where a basic user (not an admin) creates a testplan. When Admin goes into the history of the testplan created by the basic user, the XSS will appear (stored blind XSS)

POC:

https://drive.google.com/file/d/1FlGvATGWKWXXoMB6h2Z-JOX1gVhkssx5/view?usp=share_link

Impact

Stored XSS to run malicious javascript.

  1. HTML Injection to perform a UI redressing attack (clickjacking)
  2. HTML injection which disables the use of the history page
We are processing your report and will contact the kiwitcms/kiwi team within 24 hours. a month ago
Antonio Spataro
a month ago

Researcher


I made a video where a basic user (not an admin) creates a testplan. When Admin goes into the history of the testplan created by the basic user, the XSS will appear (stored blind XSS)

POC:

https://drive.google.com/file/d/1FlGvATGWKWXXoMB6h2Z-JOX1gVhkssx5/view?usp=share_link

We have contacted a member of the kiwitcms/kiwi team and are waiting to hear back 25 days ago
Antonio Spataro modified the report
25 days ago
We have sent a follow up to the kiwitcms/kiwi team. We will try again in 7 days. 22 days ago
kiwitcms/kiwi maintainer validated this vulnerability 22 days ago
Antonio Spataro has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
kiwitcms/kiwi maintainer
22 days ago

Maintainer


Patch in https://github.com/kiwitcms/Kiwi/pull/2970. Will update this bounty once we have packaged an updated version in the next few days.

Antonio Spataro
22 days ago

Researcher


Will this vulnerability recognized as a CVE?

kiwitcms/kiwi maintainer marked this as fixed in 11.6 with commit a2b169 20 days ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Antonio Spataro
20 days ago

Researcher


@admin this is my first time using this platform. Could I know if I will be able to have a cve being a framework with more than a million downloads? Can I possibly report the cve a miter? Plus I don't understand how it works, will I have a bounty for vulnerability?

Pavlos
19 days ago

Admin


Hi Antonio, welcome! Our systems recognise popular repos and will ask the maintainer to assign a CVE automatically as soon as they're ready to publish your vulnerability. Unfortunately, this report doesn't have a bounty associated with it.

To go to MITRE you must be a CNA. In our case, we put that ability in the hands of the maintainer.

Hope that helps! Feel free to directly message us if anything else is unclear :)

Antonio Spataro
18 days ago

Researcher


perfect, thank you so much for the clarification. I will look forward to the recognition of CVE.

Antonio Spataro
17 days ago

Researcher


@maintainer Hi, I saw that a new software version has been released dated 09 November and a vulnerability fix has been implemented. In the changelog it says "Sanitize HTML input when generating history diff to prevent XSS attacks". I would like to know from the maintainer if it was possible now that it has been fixed to get the CVE and make the vulnerability public. https://kiwitcms.readthedocs.io/en/latest/changelog.html

@admin for the admin, I have no idea if the maintainer is able to see this message or not, if not I would appreciate if you could ask for updates, as the patch has now been released and the software up to date. I would like to know less if the CVE will be released in the future because I don't quite understand if the mainteiner wants to release it or not.

Pavlos
13 days ago

Admin


Hi again Antonio! Could you please nudge them to publish it and assign a CVE via their security.md email?

Antonio Spataro
13 days ago

Researcher


Hi, I wrote a mail to the team as you suggested, thanks a lot for your reply :)

Antonio Spataro
12 days ago

Researcher


@admin the team replied to me with: "You can make the vulnerability public, but we don't know how to create a CVE number because we've not done this before."

What should i tell him? Could you explain to me how they should do it or possibly contact them? For me it is not a problem to act as an intermediary.

For now I answered like this, let me know what to do: "I reported the vulnerability from huntr.dev. They have the necessary permissions to let you perform the CVE request and they replied to me with the following text: "To go to MITRE you must be a CNA. In our case, we put that ability in the hands of the maintainer. (meaning kiwitcms maintainer)". I contacted their team again, asking about the CVE assignment process so you can go through it, it shouldn't be anything complicated, I think it takes a few minutes and filling out an online form, and for me as a security analyst it's a great reason to be proud if you could do it. If you recognize me the CVE, I would analyze more versions of your software for free, and like me other cyber security analysts who believe in open source would do it. I will contact you with the info on how to do it or eventually they will contact you (huntr.dev). Since the framework has over a million downloads and huntr.dev gives the ability for you as a team to assign a CVE, and since the vulnerability was quite severe I'd like a CVE code to be assigned.

hope to hear from you soon, have a nice day Antonio Rocco Spataro"

Antonio Spataro
10 days ago

Researcher


@admin any update?

Pavlos published this vulnerability 8 days ago
to join this conversation