Stored HTML Injection in btcpayserver/btcpayserver

Valid

Reported on

Jan 20th 2023

Team,

I hope you are all doing well.

*. I wanted to bring to your attention a potential vulnerability on the website https://mainnet.demo.btcpayserver.org/account/apikeys.

*. During my research, I discovered that the api key label field is vulnerable to a stored HTML injection attack.

Proof of Concept:

*. I have created a video demonstration of the vulnerability and uploaded it to my Google Drive.

*. The link for the video is provided below for your review:

https://drive.google.com/file/d/1MJGqJui4wEchUDVlkrmdLS7GxEpaVqeb/view?usp=sharing

Reproduction Steps:

*. Go to the website https://mainnet.demo.btcpayserver.org/account/apikeys

*. Click account.

*. Click manage account.

*. Then move on to the api endpoint.

*. That is https://mainnet.demo.btcpayserver.org/account/apikeys

*. Here, create api key with the label as a html payload.

*. Use the following HTML payload in the label field:

<a href="https://hackerbro.in">clickhere</a>

*. Generate the api key.

*. Now, click delete.

*. Check that deleting part rendered the html injection.

*. That's the issue.

Solution:

*. Restrict special characters and HTML encode attributes in the input fields.

*. Use regular expressions or other techniques to detect and reject malicious input.

*. Avoid embedding user input into emails unless necessary and always HTML-encode user input before embedding it into emails.

*. Implement proper input validation and sanitization measures to prevent this type of vulnerability from occurring in the future.

Impact

*. A stored HTML injection attack occurs when an attacker injects malicious HTML code into legitimate HTML code of a web application.

*. This vulnerability can lead to various types of attacks, including open redirects, phishing attempts, and browser hijacking.

*. Additionally, an attacker can gain access to the victim's IP address, latitude and longitude, and potentially carry out a camera phishing attack.

*. Overall, a stored HTML injection vulnerability can have severe consequences and it is important to prevent and mitigate this type of attack.

We are processing your report and will contact the btcpayserver team within 24 hours. 2 months ago
We have contacted a member of the btcpayserver team and are waiting to hear back 2 months ago
btcpayserver/btcpayserver maintainer has acknowledged this report 2 months ago
Nicolas Dorier
2 months ago

Several part of the code has similar issue, we are working on fixing it

Nicolas Dorier
2 months ago

https://github.com/btcpayserver/btcpayserver/pull/4545

Nicolas Dorier validated this vulnerability 2 months ago
Manojkumar J has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Manojkumar J
2 months ago

Researcher

Team,

Thanks for the update. Can we assign a cve for this finding?

Nicolas Dorier
2 months ago

Yes, though it need to be mentioned that CSP prevents script injection, as such the severity is moderate.

Manojkumar J
2 months ago

Researcher

Absolutely, you're spot on. It's important to highlight that CSP effectively blocks JavaScript injection attacks.

Nicolas Dorier marked this as fixed in 1.7.5 with commit 02070d 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Nicolas Dorier published this vulnerability 2 months ago
Nicolas Dorier gave praise 2 months ago
Thank you, we can close this one.
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
Manojkumar J
2 months ago

Researcher

Thanks, accepted for closure.

to join this conversation