Univention Bugzilla – Bug 48812
Cross Site Scripting in Portal allows session fixation of Administrators and other attacks
Last modified: 2021-06-23 07:29:13 CEST
When adding arbitrary HTML to the attribute univentionPortalAnonymousEmpty of any univentionObjectType=settings/portal you just have to wait until an Administrator hits it until this code is executed, which can do various things. Simple PoC: univentionPortalAnonymousEmpty: de_DE <p onmouseover="alert(document.cookie);">foobar</p>.
dijit/Editor removes dangerous code snippets in HTML if anonymousEmpty is set directly (not via the frontend Editor) then dangerous code is removed via dompurify.sanitize() in portal/main.js
(In reply to Johannes Keiser from comment #1) > dijit/Editor removes dangerous code snippets in HTML Yes, but only if you type it in. This doesn't work if these values are set in LDAP. > if anonymousEmpty is set directly (not via the frontend Editor) > then dangerous code is removed via dompurify.sanitize() in portal/main.js Ok, this must be applied in the UDM code then as well.
Created attachment 9869 [details] proof Screenshot
(In reply to Florian Best from comment #2) > > if anonymousEmpty is set directly (not via the frontend Editor) > > then dangerous code is removed via dompurify.sanitize() in portal/main.js > Ok, this must be applied in the UDM code then as well. Yes, didn't think about that direction unfortunately. Probably best to do this on umc/widgets/Editor directly
Created attachment 9870 [details] possible patch
Actually this is an upstream Bug: umc.dialog.alert(new dijit._editor.RichText({value: '<p onmouseover="alert(document.cookie + document.domain);">foobar</p>'})) But yes, let's stick first to your patch ;-) I will see, that I report it back to dojo, if not fixed in a more recent version already.
Memberservers and DC's have access to it: management/univention-ldap/conffiles/etc/ldap/slapd.conf.d/62univention-ldap-server_acl-portal: access to dn.children="cn=portal,cn=univention,@%@ldap/base@%@" attrs=entry,@univentionObject,@univentionPortalEntry,@univentionPortal by dn.onelevel="cn=dc,cn=computers,@%@ldap/base@%@" write by dn.onelevel="cn=memberserver,cn=computers,@%@ldap/base@%@" write
Created attachment 9948 [details] patch Suggesting this alternative patch.
Applied both patches. It seems the contentPreFilter is not effective during initial set. univention-web (3.0.5-11) b44c0459ab21 | "Bug #48812: fix get/set('value')" 6cc8b6dbe710 | "Bug #48812: fix Cross Site Scripting issue in umc.widgets.Editor which is used by portal entries" 16612c8e9ad4 | "Bug #48812: do not load purify during build time" univention-web.yaml 90c2f8d1e5d4 | YAML Bug #48812 2c78c453e30d | YAML Bug #48812
Finally the vulnerabiliy has been fixed upstream, as well: https://github.com/dojo/dijit/pull/171
OK: Editor content is sanitized OK: YAML -> verified
<http://errata.software-univention.de/ucs/4.4/88.html> <http://errata.software-univention.de/ucs/4.4/89.html>