Improper Input Validation in outline/outline

Valid

Reported on

Aug 26th 2022


Description

At the team update(https://ripob47346.getoutline.com/api/team.update) and user update(https://ripob47346.getoutline.com/api/users.update) functions, avatarUrl was not verified as a correct url. The user can enter arbitrary values.

Proof of Concept

/api/team.update /api/team.update /api/users.update /api/users.update

Result: Result

Impact

Similar to This report and there will probably be more other dangerous effects in the future.

We are processing your report and will contact the outline team within 24 hours. a month ago
a month ago
Nguyen
a month ago

Researcher


I just saw an interesting impact for this vulnerability. The logout API can still be used with GET. This means that if you set Avatarurl to a https://ripob47346.getoutline.com/api/auth.delete, anyone who sees the avatar will be logged out (If it's a team avatar, they will be logged out immediately after logging in, because the team avatar is always loaded at the homepage).

Nguyen Cong Vinh modified the report
a month ago
We have contacted a member of the outline team and are waiting to hear back a month ago
Tom Moor
a month ago

Maintainer


There is a small lack of validation here, please go ahead and prove an actual vulnerability.

Nguyen
a month ago

Researcher


In the impact I wrote that, if you replace it with the payload of this report, it will be similar to that report. Or as in the comments below, along with each other small error, the attacker inserts the logout url and can cause anyone who sees his avatar to be logged out immediately. If the attacker embeds the logout url in the team avatar, things get much worse (the team avatar is always loaded at the homepage). The fact that the user can arbitrarily edit the urlAvatar is inherently outside the operating logic of the application, not filtering the input will create many other potential risks in the future.

Nguyen
a month ago

Researcher


Tom Moor
a month ago

Maintainer


Would accept as Low again, the same as the other report. There really isn't any realistic impact as images are hosted on their own domain and you'd have to actively open the image url separately

Nguyen
25 days ago

Researcher


I also think same Thank you for not proactively changing the impact level. I will find a way to change it to low.

Nguyen Cong Vinh modified the report
25 days ago
We have sent a follow up to the outline team. We will try again in 7 days. 24 days ago
Tom Moor validated this vulnerability 23 days ago
Nguyen Cong Vinh has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Tom Moor confirmed that a fix has been merged on b8115a 23 days ago
The fix bounty has been dropped
to join this conversation