Stored xss bug in go-gitea/gitea

Valid

Reported on

May 6th 2022


Description

stored xss bug

Proof of Concept

I created a repository on try.gitea.io and uploaded a pdf file containing xss vector.

https://try.gitea.io/cokeBeer/test/src/branch/main/poc.pdf

Just click the "Raw" button The xss vector will be triggered

Fix Suggestion

prohibit viewing pdf directly by browser's default viewer

Impact

As the repo is public , any user can view the report and when open the attachment then xss is executed. This bug allow executed any javascript code in victim account .

References

We are processing your report and will contact the go-gitea/gitea team within 24 hours. a year ago
cokebeer modified the report
a year ago
We have contacted a member of the go-gitea/gitea team and are waiting to hear back a year ago
Lunny Xiao
a year ago

Maintainer


Looks like the pdf file will pop up the window even if running as a local file.

cokebeer
a year ago

Researcher


Yes. I think it is due to brower's feature as a pdf reader . But a xss in local file can't steal cookie or token in a target site because of the wrong host ( like file://xxxxxx instead of http://gitea.com ) and will be less harmful. Prohibiting viewing pdf directly by browser's default viewer on target site will be safer.

cokebeer
a year ago

Researcher


any feedback?

We have sent a follow up to the go-gitea/gitea team. We will try again in 7 days. a year ago
We have sent a second follow up to the go-gitea/gitea team. We will try again in 10 days. a year ago
Lauris BH
a year ago

Maintainer


I wonder does Content-Security-Policy sandbox header would prevent that (similarly as we do for SVG)

cokebeer
a year ago

Researcher


No. The PDF file is view directly by Chrome's PDF viewer. Better just probitting this like github do

Lauris BH
a year ago

Maintainer


But GitHub does display pdf files same as we do just under different subdomain

cokebeer
a year ago

Researcher


A link please? Mainly I foucus on whether the pdf file can be easily controlled by malicous user.

We have sent a third and final follow up to the go-gitea/gitea team. This report is now considered stale. a year ago
Lauris BH
a year ago

Maintainer


https://github.com/mozilla/pdf.js/blob/master/examples/learning/helloworld.pdf

when clicking on this on Raw it will open: https://raw.githubusercontent.com/mozilla/pdf.js/master/examples/learning/helloworld.pdf

With headers:

Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
Content-Type: application/octet-stream
cokebeer
a year ago

Researcher


On my Chrome, the PDF is downloaded directly via your link. Whatever, I just advice the bug. Whether to fix it is up to yours.

Lauris BH modified the Severity from High to Low a year ago
Lauris BH
a year ago

Maintainer


Imho CVSS is AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N - 4.4

Lauris BH modified the Severity from Low to Medium (4.4) a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Lauris BH validated this vulnerability a year ago
cokebeer has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Lauris BH
a year ago

Maintainer


I have submitted PR to fix this issue: https://github.com/go-gitea/gitea/pull/19825

Lauris BH marked this as fixed in 1.16.9 with commit 65e068 a year ago
Lauris BH has been awarded the fix bounty
This vulnerability will not receive a CVE
无在无不在
4 months ago

@cokebeer I am a little skeptical whether the js code in PDF can read the cookie values stored in the browser? I would appreciate it if you could share a PoC

to join this conversation