Summary
There is a persistent XSS in the Inbox.
Details
There is a stored XSS in the Inbox. The input is displayed using the safe Jinja2 attribute, and thus not sanitized upon display. If GPG encryption is enabled, it is trivial to bypass server side encryption by setting client_side_encrypted=true and send the payload in plaintext in the POST request and have the XSS execute in the recipient's inbox anyway.
|
<div class="message{% if 'BEGIN PGP MESSAGE' in message.content %} encrypted{% endif %}" data-encrypted-content="{{ message.content | safe }}"> |
|
if not client_side_encrypted and user.pgp_key: |
PoC
Send to the target user:
"><img src=https://lsd.cat/icon.png>
To see that image inclusion works. Se client_side_encrypted=true and send the payload plaintext to demo the attack against someone a user who has GPG encryption enabled.
Impact
This attack allows to inject HTML. Chained with a CSP bypass, reported in a separate issue, it allows for full account takeover and inbox exfiltration. Via JavaScript, it would be possible to dump the entire Inbox page. Furthermore, an attacker might change or remove the GPG key and disable 2FA since no additional authentication is required for those actions.
Note: I tried to report this as suggested in Security.md via the scidsg tipline. Received no reply in ~5 days.
lsd-cat Reporter
Summary
There is a persistent XSS in the Inbox.
Details
There is a stored XSS in the Inbox. The input is displayed using the
safeJinja2 attribute, and thus not sanitized upon display. If GPG encryption is enabled, it is trivial to bypass server side encryption by settingclient_side_encrypted=trueand send the payload in plaintext in the POST request and have the XSS execute in the recipient's inbox anyway.hushline/hushline/templates/inbox.html
Line 8 in f172850
hushline/hushline/routes.py
Line 146 in f172850
PoC
Send to the target user:
To see that image inclusion works. Se
client_side_encrypted=trueand send the payload plaintext to demo the attack against someone a user who has GPG encryption enabled.Impact
This attack allows to inject HTML. Chained with a CSP bypass, reported in a separate issue, it allows for full account takeover and inbox exfiltration. Via JavaScript, it would be possible to dump the entire Inbox page. Furthermore, an attacker might change or remove the GPG key and disable 2FA since no additional authentication is required for those actions.
Note: I tried to report this as suggested in Security.md via the scidsg tipline. Received no reply in ~5 days.