Cross-site Scripting (XSS) - Stored in meetecho/janus-gateway

Valid

Reported on

Dec 14th 2021


Description

The stored XSS vulnerability occurs in the chat window because the user's input value is inserted into the web page without verification.

                to: username,
                text: result
            };
            textroom.data({
                text: JSON.stringify(message),
                error: function(reason) { bootbox.alert(reason); },
                success: function() {
                    $('#chatroom').append('<p style="color: purple;">[' + getDateString() + '] <b>[whisper to ' + display + ']</b> ' + result);
                    $('#chatroom').get(0).scrollTop = $('#chatroom').get(0).scrollHeight;
                }
            });
        }
    });
    return;

The above code is the logic to input the participant's chat into the chat window. But since it doesn't convert the value of result to HTML Entity, it causes Stored XSS. This is a private feature. In other words, it is seen as a vulnerability of the website itself rather than a damage.

Proof of Concept

1. Open the https://janus.conf.meetecho.com/textroomtest.html * 2
2. Click the Start button * 2 (Simultaneous access to the chat window with two windows)
3. Click Participants, use the private chat feature and enter <img src=x onerror=alert(document.domain)>, <a href="javascript:alert(1)">xss</a>.
4. Then XSS occurs in the chat window.

Video : https://www.youtube.com/watch?v=bOOPCaNnIfI

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the meetecho/janus-gateway team within 24 hours. a year ago
Pocas modified the report
a year ago
Pocas modified the report
a year ago
Pocas modified the report
a year ago
Pocas modified the report
a year ago
We have contacted a member of the meetecho/janus-gateway team and are waiting to hear back a year ago
meetecho/janus-gateway maintainer
a year ago

Maintainer


This was already fixed in PR 2817 https://github.com/meetecho/janus-gateway/pull/2817

meetecho/janus-gateway maintainer
a year ago

Maintainer


Ah no wait, I think you're right: that fixed display names and messages in the public chat, but not private messages possibly. I'll have a look.

Pocas
a year ago

Researcher


Hello! This means no XSS to the other side. Vulnerability of simple web service itself 😀

meetecho/janus-gateway maintainer validated this vulnerability a year ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
meetecho/janus-gateway maintainer marked this as fixed in 0.11.7 with commit f62bba a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
textroomtest.js#L354 has been validated
meetecho/janus-gateway maintainer
a year ago

Maintainer


Yep, I found the line we forgot to update in PR 2817 and fixed that now. Thanks!

Pocas
a year ago

Researcher


Thanks you for fixing this issue. Have a good day!

to join this conversation