Cross-site Scripting (XSS) - Stored in meetecho/janus-gateway

Valid

Reported on

Dec 14th 2021


Description

The stored XSS vulnerability occurs in the chat window because the user's input value is inserted into the web page without verification.

                to: username,
                text: result
            };
            textroom.data({
                text: JSON.stringify(message),
                error: function(reason) { bootbox.alert(reason); },
                success: function() {
                    $('#chatroom').append('<p style="color: purple;">[' + getDateString() + '] <b>[whisper to ' + display + ']</b> ' + result);
                    $('#chatroom').get(0).scrollTop = $('#chatroom').get(0).scrollHeight;
                }
            });
        }
    });
    return;

The above code is the logic to input the participant's chat into the chat window. But since it doesn't convert the value of result to HTML Entity, it causes Stored XSS. This is a private feature. In other words, it is seen as a vulnerability of the website itself rather than a damage.

Proof of Concept

1. Open the https://janus.conf.meetecho.com/textroomtest.html * 2
2. Click the Start button * 2 (Simultaneous access to the chat window with two windows)
3. Click Participants, use the private chat feature and enter <img src=x onerror=alert(document.domain)>, <a href="javascript:alert(1)">xss</a>.
4. Then XSS occurs in the chat window.

Video : https://www.youtube.com/watch?v=bOOPCaNnIfI

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

We are processing your report and will contact the meetecho/janus-gateway team within 24 hours. a month ago
Pocas modified their report
a month ago
We have contacted a member of the meetecho/janus-gateway team and are waiting to hear back a month ago
meetecho/janus-gateway maintainer
a month ago

Maintainer


This was already fixed in PR 2817 https://github.com/meetecho/janus-gateway/pull/2817

meetecho/janus-gateway maintainer
a month ago

Maintainer


Ah no wait, I think you're right: that fixed display names and messages in the public chat, but not private messages possibly. I'll have a look.

Pocas
a month ago

Researcher


Hello! This means no XSS to the other side. Vulnerability of simple web service itself 😀

meetecho/janus-gateway maintainer validated this vulnerability a month ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
meetecho/janus-gateway maintainer confirmed that a fix has been merged on f62bba a month ago
The fix bounty has been dropped
textroomtest.js#L354 has been validated
meetecho/janus-gateway maintainer
a month ago

Maintainer


Yep, I found the line we forgot to update in PR 2817 and fixed that now. Thanks!

Pocas
a month ago

Researcher


Thanks you for fixing this issue. Have a good day!