security: XSS vulnerability (CVE-2023-23277)

[go-compile]

XSS/Cross Site Scripting Vulnerability

Vulnerability: XSS
Severity: VERY HIGH
Image: pawelmalak/snippet-box:arm
Digest: sha256:ba9245cc339d159588c76b33f0ae708f5c1af68a27f876561b8b84ed5b8ee288

Why this is a problem: Snippet-box doesn't have authentication, allowing anyone to perform this attack. Furthermore, if Snippet-box is running on a domain which is used by other services, e.g. Nextcloud, then an attacker could potentially be able to perform a lateral move via extracting local storage; obtaining authentication tokens. Alternatively, one could perform CSRF, even if "same site cookies" are enabled, depending on the service, account take over may be possible due to XSS on the same domain.

Proof of Concept

1. Create new snippet.
2. Set the snippet content to:

<h1>HTML is being rendered</h1>
<p style="color: red">WARNING XSS</p>
<script>alert("XSS")</script>

3. Copy "raw url"
4. Navigate within a browser

Result

Cause

The cause to this vulnerability due to the raw snippet route setting content-type to text/html.

Resolution

Follow both steps.

1. Set content-type to text/plain.
2. Set header X-Content-Type-Options: nosniff.

Responsible disclosure statement: I was unable to find emergency contact information for reporting security concerns in private, as a result this issue has been created.

[schklom]

This sounds like a job for a reverse-proxy.

[go-compile]

For the time being it may be an appropriate temporary patch, but certainly not a permanent one.