XSS in webmention.js in plaidweb/webmention.js

Valid

Reported on

Jul 11th 2023

Description

webmention.js has a XSS vulnerability here. Comment name has not escaped. https://github.com/PlaidWeb/webmention.js/blob/9457e71433c0d2430bbe767ecc5b5837140d0ee4/static/webmention.js#L330

Proof of Concept

  1. 1 Put a webmention.js on your site
  2. 2 Send a webmention that includes XSS payload in p-name
<article class="h-entry">

  <span class="p-name">&lt;img src=x onerror=alert(1)&gt;</span>
...
  1. 3 webmention.js will execute an alert in your site

Impact

A malicious JavaScript is evaluated on the website, which may allow the attacker to transfer private information such as cookies, which may include session information, from the victim's machine to the attacker. Phishing attacks could be used to emulate trusted web sites and trick the victim into entering a password, allowing the attacker to compromise the victim's account on that web site.

Occurrences

c.name should be HTML escaped.

          linktext = c.name;
        } else if (c.content && c.content.text) {
          linkclass = "text";
          linktext = extractComment(c);
        }

        const type = `<span class="${linkclass}">${linktext}</span>`;
We are processing your report and will contact the plaidweb/webmention.js team within 24 hours. 5 months ago
tyage modified the report
5 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 5 months ago
tyage modified the report
5 months ago
We have contacted a member of the plaidweb/webmention.js team and are waiting to hear back 5 months ago
plaidweb/webmention.js maintainer
5 months ago

Maintainer

Hi, reviewing this vulnerability it does seem valid. Since the p-name property is plaintext it should be treated as such by the client, rather than being sanitized server-side. I'll work on implementing a fix, and ensuring that other p-properties are also being correctly sanitized.

fluffy gave praise 5 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
fluffy validated this vulnerability 5 months ago
tyage has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
fluffy marked this as fixed in 0.5.5 with commit 3551b6 5 months ago
fluffy has been awarded the fix bounty
This vulnerability will not receive a CVE
webmention.js#L330 has been validated
plaidweb/webmention.js maintainer published this vulnerability 5 months ago
tyage
5 months ago

Researcher

@fluffy Thank you for quick fix!

Can you assign a CVE for this vulnerability? webmention.js is widely used (I am one of them :) ) and people can update if they see the CVE.

fluffy
5 months ago

Maintainer

I had attempted to from the huntr.dev interface but it wasn't clear to me how to actually do that; it just told me T"his vulnerability will not receive a CVE" with no option to overrid ethat. This is my first time using this platform, and the documentation isn't actually being very helpful. How do I assign a CVE?

tyage
5 months ago

Researcher

OK 👌 I think there was a option button to issue a CVE when publish this issue.

@admin can you help us to assign a CVE?

fluffy
5 months ago

Maintainer

I wasn't given any option, and I had looked around for it.

tyage
5 months ago

Researcher

I see. Let's wait for an admin. I think they can manually issue as far as I see other reports.

Ben Harvie
5 months ago

Admin

Hi, I've assigned a CVE to this vulnerability as requested:)

tyage
5 months ago

Researcher

Thank you!

fluffy
5 months ago

Maintainer

@admin Another bit of weirdness, it looks like my fix was not assigned to me. Could you look into this?

Thanks!

Ben Harvie
5 months ago

Admin

Hey, the issue with the fix bounty assignment has been resolved:)

to join this conversation