Static Code Injection in collectiveaccess/pawtucket2

Valid

Reported on

Sep 30th 2021


Description

This is with reference to another SSRF report I made (https://huntr.dev/bounties/43505ece-7d5e-44b8-a7a3-69bd42d0ad02/) in which the fix was to filter external src from images. Pawtucket2 makes use of the same code as Providence to filter HTML, however it does not include the new fix present in https://github.com/collectiveaccess/providence/commit/aaf573e2fcaaa5c5b52c61eaaa4d6a5ca3b247d9, allowing attackers to still inject an img with a src to external URL.

PoC

It is possible inject <img src="http://10.0.2.4"> as the name of a Lightbox, confirming that we still can inject html with external src.

Impact

HTML injection with img tags of external src is possible. It may be escalated to an SSRF with reference to the earlier report I made https://huntr.dev/bounties/43505ece-7d5e-44b8-a7a3-69bd42d0ad02/ provided the attacker can inject HTML into somwehere which will be rendered as PDF.

Recommended Fix

Copy this fix https://github.com/collectiveaccess/providence/commit/aaf573e2fcaaa5c5b52c61eaaa4d6a5ca3b247d9 to the below permalink.

We have contacted a member of the collectiveaccess/pawtucket2 team and are waiting to hear back a year ago
CollectiveAccess validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
CollectiveAccess
a year ago

Maintainer


We know we need to replicate this. Thanks for the prod.

CollectiveAccess marked this as fixed with commit 5a3c20 a year ago
CollectiveAccess has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation