codimd icon indicating copy to clipboard operation
codimd copied to clipboard

Published 20 hours ago β€’ verified publisher icon hackmdio

exportAllNotes should use POST method for security

Open huntr-helper opened this issue 4 years ago β€’ 14 comments
trafficstars

πŸ‘‹ Hello, we've received a report for a potential high severity security issue in your repository.

Next Steps

1️⃣ Visit https://huntr.dev/bounties/1-other-hackmdio/codimd for more advisory information.

2️⃣ Sign-up to validate or speak to the researcher for more assistance.

3️⃣ Propose a patch or outsource it to our community.

Confused or need more help?

  • Join us on our Discord and a member of our team will be happy to help! πŸ€—

  • Speak to a member of our team: @JamieSlome

This issue was automatically generated by huntr.dev - a bug bounty board for securing open source code.

huntr-helper avatar May 23 '21 13:05 huntr-helper

I don't quite get it, if you found any security issue, you can just report here as issue. It's ok to disclose here instead of browsing another bug bounty site.

jackycute avatar May 25 '21 06:05 jackycute

Feel free to reopen or open another issue if you disclose the details.

jackycute avatar May 25 '21 06:05 jackycute

@jackycute - we are currently doing this as many maintainers have asked that reports are kept private, until they can validate the report.

I will post the disclosure details here...

JamieSlome avatar May 25 '21 06:05 JamieSlome

✍️ Description

The /exportAllNotes endpoint does not require any CSRF token validation. This could be used force download account data and spoof users.

πŸ•΅οΈβ€β™‚οΈ Proof of Concept

  1. Login to user account.
  2. Create the following file and open in browser. Click on the link.
<html>
<body>
<a href="https://hackmd.io/exportAllNotes">Download</a>
</body>
</html>
  1. This downloads user's data from hackmd. An attacked can then spoof the user to upload this file into their server.

πŸ’₯ Impact

Private information leakage.

JamieSlome avatar May 25 '21 06:05 JamieSlome

The platform also allows the maintainer to get paid for validating, and confirming patches against advisories.

Plus, we mediate and assign CVEs if needed.

JamieSlome avatar May 25 '21 06:05 JamieSlome

Thanks for reporting @JamieSlome. However, creating a link that let user download their data is the same as they did in the profile menu. The downloaded zip should only be accessible in their own filesystem, I don't see a big concern that user will leak their data else.

Also, there is no way we can add CSRF for HTTP GET method.

jackycute avatar May 25 '21 06:05 jackycute

Hey @jackycute, let me put forward the issue in a clearer way. Say that a legitimate user is logged on to their account. And he visits a malicious page at attacker.com with this content.

<html>
<body onload='window.open("https://hackmd.io/exportAllNotes");'>
        To verify that you are a human, upload the zip file that has been downloaded from our website now.
</body>
</html>

A normal user, who doesn't know what has happened will definitely fall into this attack since he never has requested a file download from codemd.

oomb avatar May 25 '21 10:05 oomb

Also, there is no way we can add CSRF for HTTP GET method.

You could add a CSRF token to the link before download is initiated. The download link can be given as /exportAllNotes?csrf=<random_string>. The random string will not be known to the attacker, and must be verified on server side.

This would prevent attacker from initiating downloads from the server.

oomb avatar May 25 '21 10:05 oomb

Hey @jackycute, let me put forward the issue in a clearer way. Say that a legitimate user is logged on to their account. And he visits a malicious page at attacker.com with this content.

<html>
<body onload='window.open("https://hackmd.io/exportAllNotes");'>
        To verify that you are a human, upload the zip file that has been downloaded from our website now.
</body>
</html>

A normal user, who doesn't know what has happened will definitely fall into this attack since he never has requested a file download from codemd.

This is more like a phishing attack than a CSRF issue.

Since download all notes should be safe, we can consider changing exportAllNotes API to POST method and reserve ability to add CSRF token.

jackycute avatar May 25 '21 11:05 jackycute

Yeah. You are right. That would be a good fix for this. Can you consider marking this disclosure verified here as well?

/cc @JamieSlome

oomb avatar May 25 '21 11:05 oomb

Yeah. You are right. That would be a good fix for this. Can you consider marking this disclosure verified here as well?

/cc @JamieSlome

I would love to, can you modify the vulnerability to reflect what we've discussed here? It's potential phishing user data and severity should be lower in my opinion.

jackycute avatar May 25 '21 11:05 jackycute

I have updated the write-up as well as the CVSS score. Please let me know if you would like to suggest any changes. Thanks.

oomb avatar May 25 '21 13:05 oomb

Verified, found a typo though. codemd -> CodiMD. ζˆͺεœ– 2021-05-25 δΈ‹εˆ10 17 01

Thanks for reporting.

jackycute avatar May 25 '21 14:05 jackycute

Is this security issue still relevant ? I don't know if a fix has been implemented ?

AkechiShiro avatar Jan 01 '24 18:01 AkechiShiro