XSS on URL recorder in rhizome-conifer/conifer

Valid

Reported on

Aug 19th 2022


Description

Hi Team ,

I found XSS vulnerability in url recorder https://conifer.rhizome.org/"USERNAME"/default-collection/

Proof of Concept

Image : https://ibb.co/dBr0QQr

https://conifer.rhizome.org/"USERNAME"/default-collection/ymwk7czqxwt4l3we/record/%3Cimg%20src=x%20onerror=%22confirm(document.domain)%22%3E

and this is another example via another user from my account :

Image : https://ibb.co/rdWw2Cj

previous image contains user cookie

Mitigation

Filter input on arrival. Encode data on output.

Impact

Attacker can takeover any account by just send link to the victim.

We are processing your report and will contact the rhizome-conifer/conifer team within 24 hours. a month ago
maakthon modified the report
a month ago
We have contacted a member of the rhizome-conifer/conifer team and are waiting to hear back a month ago
maakthon modified the report
a month ago
maakthon modified the report
a month ago
maakthon
a month ago

Researcher


@admin Should I continue testing this program or its gone ?

Jamie Slome
a month ago

Admin


Can you please clarify what you mean by "gone"?

maakthon
a month ago

Researcher


@admin I mean that the program is open to test ?

maakthon
a month ago

Researcher


I did not got any reply from the fixer!

Jamie Slome
a month ago

Admin


We send multiple reminders to the maintainer so please allow 2 more weeks for the maintainer to respond, as we do get a lot of maintainers that reply after a few automatic e-mail pings from us.

We have sent a follow up to the rhizome-conifer/conifer team. We will try again in 7 days. a month ago
maakthon
a month ago

Researcher


Okay, I got that. Thank you so much.

maakthon
24 days ago

Researcher


Any updates ?

We have sent a second follow up to the rhizome-conifer/conifer team. We will try again in 10 days. 24 days ago
rhizome-conifer/conifer maintainer validated this vulnerability 24 days ago
maakthon has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
maakthon
23 days ago

Researcher


Can you please assign a CVE for this bug ? And What about the bounty ?

Jamie Slome
23 days ago

Admin


Happy to assign a CVE once we get the go-ahead from the maintainer.

With regards to bounties, we are currently on rewarding bounties for reports against listed applications here 👍

We have sent a fix follow up to the rhizome-conifer/conifer team. We will try again in 7 days. 21 days ago
rhizome-conifer/conifer maintainer confirmed that a fix has been merged on 5a83e7 16 days ago
The fix bounty has been dropped
to join this conversation