Lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection in ikus060/rdiffweb
Reported on
Dec 20th 2022
Description
Lack of sanitisation of characters in SSH key name could allow attacker to inject a hyperlink injection that could allow attacker to redirect victim to malicious websites
Proof of Concept
1) Go to https://rdiffweb-dev.ikus-soft.com/prefs/sshkeys
2) Add SSH key
3) Enter the name evil.com
4) Due to lack of sanitisation , this might cause a hyperlink injection attack once email is triggered successfully on adding SSH key
# Impact
This issue allows an attacker to redirect victim to malicious website and cause a phishing attack
I still get a problem with those kind of vulnerability. I don't see why Rdiffweb should try to sanitize the SSH Key name.
First, it could be perfectly valid for a user to name the ssh key with a dot to follow the naming convention of the FQDN.
Second, it's not Rdiffweb that create a link out of the "evil.com" it's the mail client. GMail as an example create link for anything similar to a domain name. If their is a vulnerability, they should be the one fixing it.
Third, well know opensource project like Gitlab are not sanitizing the value either. It's perfectly valid in Gitlab and probably Github to provide a token name "evil.com" for an SSH Key. And I feel it's right. And yes, the "evil.com" get converted to a link.
So I think I wont get those fixed after all.
@maintainer ,
I strongly believe that this must be fixed mainly for 2 reasons
- A notification is going to be triggered for adding an SSH key , it is our role here to be filtering the key name as it is initially being vulnerable at the application side.
- It's all about adding a sanitisation for certain characters like a '.' that will make the application more secure from a phishing attack.
Let's say somebody sets access key or ssh name as 'You have been hacked , contact evil.com' this will exploit the users attention and will cause an impact to rdiffweb application as the notification is getting triggered from rdiffweb.
I believe it is a must fix issue
I agree that gitlab might not be sanitising such parameters , but they have other aspects that prevent this issue from occurring as rdiffweb is not able to attain that security measures it is important for character sanitisation to take place to make users safe from such phishing attacks
If the phishing is the real vulnerability. I will find a way to sanitize the email that get sent to the user instead of blocking the user to enter a SSH Key name that include dot (.)
I might have found way to make sure GMail is not converting "evil.com" to a link. That should cover it
@maintainer the best way is to implement a fix where gmail does not convert it into a link .
I've deployed a temporary version on rdiffweb-dev.ikus-soft.com This version ensure "evil.com" is not converted into a link by GMail and other mail client.
Meanwhile, "evil.com" is still a valid SSH Key title
Sry, that version is not yet deployed. Should be within the next 1 hour
Yes sir , it's working , the fix that has been deployed ensures that it is not converted into a hyperlink 👍
I think it's the best way to get this vulnerability fixed. While keeping the possibility to add special characters in SSH Key of Token name. I don't want to restrict the user only.
I will complete the changes with that feature and SSH Key added probably this week.