Stored xss bug in go-gitea/gitea
Reported on
May 6th 2022
Description
stored xss bug
Proof of Concept
I created a repository on try.gitea.io
and uploaded a pdf file containing xss vector.
https://try.gitea.io/cokeBeer/test/src/branch/main/poc.pdf
Just click the "Raw" button
The xss vector will be triggered
Fix Suggestion
prohibit viewing pdf directly by browser's default viewer
Impact
As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account .
References
Looks like the pdf file will pop up the window even if running as a local file.
Yes. I think it is due to brower's feature as a pdf reader . But a xss in local file can't steal cookie or token in a target site because of the wrong host ( like file://xxxxxx instead of http://gitea.com ) and will be less harmful. Prohibiting viewing pdf directly by browser's default viewer on target site will be safer.
I wonder does Content-Security-Policy sandbox header would prevent that (similarly as we do for SVG)
No. The PDF file is view directly by Chrome's PDF viewer. Better just probitting this like github do
But GitHub does display pdf files same as we do just under different subdomain
A link please? Mainly I foucus on whether the pdf file can be easily controlled by malicous user.
https://github.com/mozilla/pdf.js/blob/master/examples/learning/helloworld.pdf
when clicking on this on Raw
it will open: https://raw.githubusercontent.com/mozilla/pdf.js/master/examples/learning/helloworld.pdf
With headers:
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
On my Chrome, the PDF is downloaded directly via your link. Whatever, I just advice the bug. Whether to fix it is up to yours.
I have submitted PR to fix this issue: https://github.com/go-gitea/gitea/pull/19825
@cokebeer I am a little skeptical whether the js code in PDF can read the cookie values stored in the browser? I would appreciate it if you could share a PoC