Open Redirect / XSS via iframe with sandbox.

[Ry0taK]

trafficstars

Summary

This is similar issue to #959, but different cause. Due to sandbox attribute is allowed, attacker can redirect victim to something malicious if attacker embeds iframe with allow-top-navigation in sandbox attribute. #959 won't work in Chrome because of their security, but this will work due to sandbox is whitelist attribute. This will be XSS in Safari by using data scheme.

Step to reproduce

1. Type <iframe src="https://example.com/hackmd.html" sandbox="allow-scripts allow-top-navigation allow-scripts"></iframe> in Editor. (It doesn't work because my domain is expired.)
2. View edited page.

PoC (This PoC will redirect you to example.com)

CVE

CVE-2019-15499

Suggested fix

Don't allow sandbox attribute in public/js/render.js.

[Ry0taK]

Can I request CVE number for this vulnerability?

[jackycute]

Hi @Ry0taK, Thanks for reporting this to us. Yes, I think you can report to CVE, this should be fixed soon.

[Ry0taK]

Hello @jackycute Thank you for your reply. I've requested CVE number to MITRE Corporation.

Regards, RyotaK

[SpyroTEQ]

Hi, I'm not a user of this codebase project (I ended up here through the CVE RSS), but I don't get why removing/disallowing the sandbox attribute will protect nor change anything?

This, served at http://victim.localhost/

<iframe src="http://attacker.localhost/contained.html">
</iframe>

With this evil contained page

<script>
window.top.location.href = 'https://example.com/';
</script>

Will also redirect top page to https://example.com/ ?! Why are things safer after the patch?

[jackycute]

Hi @SpyroTEQ,

So disallowing sandbox attribute is the first step to prevent this vulnerability. There is another issue to track #959