XSS on URL recorder in rhizome-conifer/conifer

Valid

Reported on

Aug 19th 2022

Description

Hi Team ,

I found XSS vulnerability in url recorder https://conifer.rhizome.org/"USERNAME"/default-collection/

Proof of Concept

Image : https://ibb.co/dBr0QQr

https://conifer.rhizome.org/"USERNAME"/default-collection/ymwk7czqxwt4l3we/record/%3Cimg%20src=x%20onerror=%22confirm(document.domain)%22%3E

and this is another example via another user from my account :

Image : https://ibb.co/rdWw2Cj

previous image contains user cookie

Mitigation

Filter input on arrival. Encode data on output.

Impact

Attacker can takeover any account by just send link to the victim.

We are processing your report and will contact the rhizome-conifer/conifer team within 24 hours. a year ago

maakthon modified the report

a year ago

We have contacted a member of the rhizome-conifer/conifer team and are waiting to hear back a year ago

maakthon modified the report

a year ago

maakthon modified the report

a year ago

maakthon

commented a year ago

Researcher

@admin Should I continue testing this program or its gone ?

Jamie Slome

commented a year ago

Admin

Can you please clarify what you mean by "gone"?

maakthon

commented a year ago

Researcher

@admin I mean that the program is open to test ?

maakthon

commented a year ago

Researcher

I did not got any reply from the fixer!

Jamie Slome

commented a year ago

Admin

We send multiple reminders to the maintainer so please allow 2 more weeks for the maintainer to respond, as we do get a lot of maintainers that reply after a few automatic e-mail pings from us.

We have sent a follow up to the rhizome-conifer/conifer team. We will try again in 7 days. a year ago

maakthon

commented a year ago

Researcher

Okay, I got that. Thank you so much.

maakthon

commented a year ago

Researcher

Any updates ?

We have sent a second follow up to the rhizome-conifer/conifer team. We will try again in 10 days. a year ago

A rhizome-conifer/conifer maintainer validated this vulnerability a year ago

maakthon has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

maakthon

commented a year ago

Researcher

Can you please assign a CVE for this bug ? And What about the bounty ?

Jamie Slome

commented a year ago

Admin

Happy to assign a CVE once we get the go-ahead from the maintainer.

With regards to bounties, we are currently on rewarding bounties for reports against listed applications here 👍

We have sent a fix follow up to the rhizome-conifer/conifer team. We will try again in 7 days. a year ago

A rhizome-conifer/conifer maintainer marked this as fixed in develop with commit 5a83e7 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the rhizome-conifer/conifer team within 24 hours. a year ago

maakthon modified the report

a year ago

We have contacted a member of the rhizome-conifer/conifer team and are waiting to hear back a year ago

maakthon modified the report

a year ago

maakthon modified the report

a year ago

maakthon

commented a year ago

Researcher

@admin Should I continue testing this program or its gone ?

Jamie Slome

commented a year ago

Admin

Can you please clarify what you mean by "gone"?

maakthon

commented a year ago

Researcher

@admin I mean that the program is open to test ?

maakthon

commented a year ago

Researcher

I did not got any reply from the fixer!

Jamie Slome

commented a year ago

Admin

We send multiple reminders to the maintainer so please allow 2 more weeks for the maintainer to respond, as we do get a lot of maintainers that reply after a few automatic e-mail pings from us.

We have sent a follow up to the rhizome-conifer/conifer team. We will try again in 7 days. a year ago

maakthon

commented a year ago

Researcher

Okay, I got that. Thank you so much.

maakthon

commented a year ago

Researcher

Any updates ?

We have sent a second follow up to the rhizome-conifer/conifer team. We will try again in 10 days. a year ago

A rhizome-conifer/conifer maintainer validated this vulnerability a year ago

maakthon has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

maakthon

commented a year ago

Researcher

Can you please assign a CVE for this bug ? And What about the bounty ?

Jamie Slome

commented a year ago

Admin

Happy to assign a CVE once we get the go-ahead from the maintainer.

With regards to bounties, we are currently on rewarding bounties for reports against listed applications here 👍

We have sent a fix follow up to the rhizome-conifer/conifer team. We will try again in 7 days. a year ago

A rhizome-conifer/conifer maintainer marked this as fixed in develop with commit 5a83e7 a year ago

The fix bounty has been dropped

This vulnerability will not receive a CVE

to join this conversation