Cross-site Scripting (XSS) - Generic in octoprint/octoprint
Reported on
Apr 20th 2022
Description
The Stream URL of octoprint application allowing xss payload to execute for which its leads to Cross-site Scripting (XSS
Proof of Concept
Login to the application
Now go to settings -> Webcam & Timelapse -> Stream URL and insert the payload "<img src=1 onerror=alert(document.cookie)> in the Stream URL and click on "Test"
You will see that its making a internal GET request
Image POC
https://drive.google.com/drive/folders/1gvRKz8AKOY8XE3O3z4mJdr61heIxGtH7?usp=sharing
Impact
User accounts can be hijacked, credentials could be stolen, sensitive data could be exfiltrated, and lastly, access to your client computers can be obtained.
As being able to successfully launch this attack would require the attacker to already have admin rights (as that is required to modify the mentioned URL), I do not agree with a severity of "critical" here.
I'd actually lean towards "none" (it is kind of a senseless thing to run this attack if you already have full admin rights on the instance anyhow), but would be willing to compromise on "low" considering that 3rd party clients might be compromised with a manipulated URL (though in that case it would also require a lack of sanitisation on their end).
Read through the CVSS docs and now classified as CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H, so high severity.
An attacker would need network access to a target instance, find a user that already has admin rights, somehow talk them into replacing the webcam URL with something completely broken (there's no easy way to do this with a prepared link or something like with the login xss issue, and usually no motivation to do so either) before being able to successfully execute this attack - that requires a ton of work with uncertain outcome. No scope change.
Will look into fixing this, thanks for finding it.
@admin As the severity is high 7.5 why I haven't received the bounty for this report?
A fix has been prepared and will be rolled out with 1.8.0, which is planned to be released next week.
Thanks for the update @Gina. Once the fix has been rolled out, feel free to update the report with the commit SHA which addresses the issue 👍
@admin That is the plan, however it's currently not available in a public repository due to still being under review and testing by myself and some trusted people, and thus I couldn't do that yet (and a public repo is out of the question until just before release to not put people at risk). Your rather insistent automated emails prompted me to at least comment that this was well underway ;)
A friendly suggestion, would it be possible to add some option to mark this as "in progress" in the future? IMHO there's definitely a state between "awaiting fix" and "fixed and can go public right away"
@Gina - thanks for the info on this. I think there are definitely opportunities for improvement here.
I definitely agree that some "in progress" option is required, allowing maintainers to halt further e-mail notifications (as we definitely don't want to bug you) and let the researcher know that a fix is on the way, but might take a bit of time.
How does this sound? Would you mind if I added the above feedback to our public discussion here, just so we can stay on top of it? I will remove your username and any identifying information before doing so :)
@admin sure, go ahead! I'm in the middle of prepping lunch or I'd do it myself even 😅 No need to anonymise me, feel free to even tag me (@foosel on GitHub)
I should add, no need to to anonymise me, but keep the issue out of it - that still needs to stay private until I've been able to push out the 1.8.0 release.
Amazing 🤝 I've posted a comment on the discussion here.
Enjoy your lunch 🥙