Stored xss bug in go-gitea/gitea
May 6th 2022
stored xss bug
Proof of Concept
I created a repository on
try.gitea.io and uploaded a pdf file containing xss vector.
Just click the "Raw" button The xss vector will be triggered
prohibit viewing pdf directly by browser's default viewer
Looks like the pdf file will pop up the window even if running as a local file.
Yes. I think it is due to brower's feature as a pdf reader . But a xss in local file can't steal cookie or token in a target site because of the wrong host ( like file://xxxxxx instead of http://gitea.com ) and will be less harmful. Prohibiting viewing pdf directly by browser's default viewer on target site will be safer.
I wonder does Content-Security-Policy sandbox header would prevent that (similarly as we do for SVG)
No. The PDF file is view directly by Chrome's PDF viewer. Better just probitting this like github do
But GitHub does display pdf files same as we do just under different subdomain
A link please? Mainly I foucus on whether the pdf file can be easily controlled by malicous user.
when clicking on this on
Raw it will open: https://raw.githubusercontent.com/mozilla/pdf.js/master/examples/learning/helloworld.pdf
Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox Content-Type: application/octet-stream
On my Chrome, the PDF is downloaded directly via your link. Whatever, I just advice the bug. Whether to fix it is up to yours.
Imho CVSS is
AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N - 4.4
I have submitted PR to fix this issue: https://github.com/go-gitea/gitea/pull/19825
@cokebeer I am a little skeptical whether the js code in PDF can read the cookie values stored in the browser? I would appreciate it if you could share a PoC