Bug 48812 - Cross Site Scripting in Portal allows session fixation of Administrators and other attacks
Cross Site Scripting in Portal allows session fixation of Administrators and ...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Portal
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.4-0-errata
Assigned To: Florian Best
Johannes Keiser
https://github.com/dojo/dijit/pull/171
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-02-27 18:20 CET by Florian Best
Modified: 2021-06-23 07:29 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score: 7.3 (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N)


Attachments
proof Screenshot (65.13 KB, image/png)
2019-02-27 18:47 CET, Florian Best
Details
possible patch (1.02 KB, patch)
2019-02-27 19:18 CET, Johannes Keiser
Details | Diff
patch (922 bytes, patch)
2019-03-30 08:32 CET, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2019-02-27 18:20:25 CET
When adding arbitrary HTML to the attribute univentionPortalAnonymousEmpty of any univentionObjectType=settings/portal you just have to wait until an Administrator hits it until this code is executed, which can do various things.

Simple PoC:

univentionPortalAnonymousEmpty: de_DE
<p onmouseover="alert(document.cookie);">foobar</p>.
Comment 1 Johannes Keiser univentionstaff 2019-02-27 18:41:48 CET
dijit/Editor removes dangerous code snippets in HTML

if anonymousEmpty is set directly (not via the frontend Editor)
then dangerous code is removed via dompurify.sanitize() in portal/main.js
Comment 2 Florian Best univentionstaff 2019-02-27 18:44:41 CET
(In reply to Johannes Keiser from comment #1)
> dijit/Editor removes dangerous code snippets in HTML
Yes, but only if you type it in. This doesn't work if these values are set in LDAP.

> if anonymousEmpty is set directly (not via the frontend Editor)
> then dangerous code is removed via dompurify.sanitize() in portal/main.js
Ok, this must be applied in the UDM code then as well.
Comment 3 Florian Best univentionstaff 2019-02-27 18:47:51 CET
Created attachment 9869 [details]
proof Screenshot
Comment 4 Johannes Keiser univentionstaff 2019-02-27 19:18:00 CET
(In reply to Florian Best from comment #2) 
> > if anonymousEmpty is set directly (not via the frontend Editor)
> > then dangerous code is removed via dompurify.sanitize() in portal/main.js
> Ok, this must be applied in the UDM code then as well.

Yes, didn't think about that direction unfortunately.

Probably best to do this on umc/widgets/Editor directly
Comment 5 Johannes Keiser univentionstaff 2019-02-27 19:18:47 CET
Created attachment 9870 [details]
possible patch
Comment 6 Florian Best univentionstaff 2019-02-27 19:26:24 CET
Actually this is an upstream Bug:

umc.dialog.alert(new dijit._editor.RichText({value: '<p onmouseover="alert(document.cookie + document.domain);">foobar</p>'}))

But yes, let's stick first to your patch ;-)

I will see, that I report it back to dojo, if not fixed in a more recent version already.
Comment 7 Florian Best univentionstaff 2019-03-30 08:24:19 CET
Memberservers and DC's have access to it:

management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/62univention-ldap-server_acl-portal:
access to dn.children="cn=portal,cn=univention,@%@ldap/base@%@" attrs=entry,@univentionObject,@univentionPortalEntry,@univentionPortal
        by dn.onelevel="cn=dc,cn=computers,@%@ldap/base@%@" write
        by dn.onelevel="cn=memberserver,cn=computers,@%@ldap/base@%@" write
Comment 8 Florian Best univentionstaff 2019-03-30 08:32:14 CET
Created attachment 9948 [details]
patch

Suggesting this alternative patch.
Comment 9 Florian Best univentionstaff 2019-04-25 12:20:11 CEST
Applied both patches. It seems the contentPreFilter is not effective during initial set.

univention-web (3.0.5-11)
b44c0459ab21 | "Bug #48812: fix get/set('value')"
6cc8b6dbe710 | "Bug #48812: fix Cross Site Scripting issue in umc.widgets.Editor which is used by portal entries"
16612c8e9ad4 | "Bug #48812: do not load purify during build time"

univention-web.yaml
90c2f8d1e5d4 | YAML Bug #48812
2c78c453e30d | YAML Bug #48812
Comment 10 Florian Best univentionstaff 2019-05-02 11:24:29 CEST
Finally the vulnerabiliy has been fixed upstream, as well: https://github.com/dojo/dijit/pull/171
Comment 11 Johannes Keiser univentionstaff 2019-05-03 13:58:24 CEST
OK: Editor content is sanitized
OK: YAML
-> verified