CSP passby via js file in usememos/memos

Valid

Reported on

Dec 23rd 2022


Description

Hi,Maintainter You submitted a fix in the latest version 0.9.0 with commit c07b4a.But after many tests, I found that this is still not 100% safe.You have set a very simple csp , which can be bypassed.

Video link

link

https://drive.google.com/file/d/1glQfxLs6pZP6B87cYlIFf7LmLT9Z4oz5/view?usp=share_link

Steps

1.Create a js file named '123.js'.And the contents are as follows.

alert('/xss/')

2.Click the resource section to upload our js file.And we need to copy the path of the js file.For example,the path is

 https://demo.usememos.com/o/r/20/123.js.This path will be used in the following html file

3.Create a html file named 'hello.html'.And the contents are as follows.

Please note that the content of src is the second half path of the js file we just uploaded

<script src='../20/123.js'></script>     //The value of src depends on the path of the js file

4.Finally,preview the hello.html.

My suggestion is to use more secure csp.Or you have a better way.I hope we can make this project better.And the following are my suggestions.

Content-Security-Policy:
  object-src 'none';
  script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:;
  base-uri 'none';
  report-uri https://your-report-collector.example.com/

Impact

(1) To steal the administrator account or cookie, the intruder can log in to the background as an administrator. It enables intruders to manipulate background data maliciously, including reading, changing, adding and deleting some information.

(2) Stealing users' personal information or login accounts will pose a huge threat to the user security of the website. For example, pretend to be a user for various operations.

(3) The website hangs horses. First, embed the malicious attack code into the Web application. When the user browses the hanging horse page, the user's computer will be implanted with a Trojan horse.

(4) Send advertisements or spam messages. Attackers can use XSS vulnerabilities to plant advertisements or send spam, seriously affecting the normal use of users.

Occurrences

Content-Security-Policy: object-src 'none'; script-src 'nonce-{random}' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https: http:; base-uri 'none'; report-uri https://your-report-collector.example.com/

We are processing your report and will contact the usememos/memos team within 24 hours. 17 days ago
Christy__ modified the report
17 days ago
We have contacted a member of the usememos/memos team and are waiting to hear back 16 days ago
Christy__ modified the report
13 days ago
STEVEN validated this vulnerability 11 days ago
Christy__ has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
STEVEN marked this as fixed in 0.10.0 with commit 46c13a 3 days ago
STEVEN has been awarded the fix bounty
This vulnerability has been assigned a CVE
STEVEN published this vulnerability 3 days ago
resource.go#L268 has been validated
to join this conversation