You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Cross-Site-Scripting vulnerability via crafted ebooks
Low
majora2007
published
GHSA-r4qc-3w52-2v84Jun 28, 2024
Package
No package listed
Affected versions
< 0.8.0
Patched versions
None
Description
Summary
Opening an ebook with malicious scripts inside leads to code execution inside the browsing context.
Testing was done on version 0.8.0.0 on Windows.
Details
Kavita doesn't sanitize or sandbox the contents of epubs (as far as I can tell). This allows scripts inside ebooks to execute.
While this is expected behavior, it allows malicious scripts to perform every action that the logged in user can perform.
Because the functionality exposed by Kavita's API endpoints is quite limited when it comes to the server itself (which is a good thing!), I was only able to use this vulnerability to leak the email credentials.
PoC
An ebook can be crafted with Calibre to include this bare minimum script:
Users have to open a malicious file.
However, the attacker doesn't have to prepare a book specifically for Kavita, but can use some fingerprinting to determine in what environment it's running.
Distribution of malicious books could be done via pirate sites or even (online) conversion services, which could inject those malicious scripts.
Usually code execution within an admin session leads to remote code execution on the server itself because of too much exposed functionality via API endpoitns. However, Kavita seems quite solid in this regard.
Overall, I wouldn't be too worried. :^)
Some ideas
In an ideal world, scripted content would be turned off (e.g. via an iframe'ssanbox attribute).
There are, however, limitations with that approach.
The author of foliate sums it up nicely here.
Maybe the user could be given the option to toggle scripted content.
Server-side sanitization is another option.
That's it! If something's unclear, please ask away.
theGEBIRGE Finder
Summary
Opening an ebook with malicious scripts inside leads to code execution inside the browsing context.
Testing was done on version 0.8.0.0 on Windows.
Details
Kavitadoesn't sanitize or sandbox the contents of epubs (as far as I can tell). This allows scripts inside ebooks to execute.While this is expected behavior, it allows malicious scripts to perform every action that the logged in user can perform.
Because the functionality exposed by
Kavita'sAPI endpoints is quite limited when it comes to the server itself (which is a good thing!), I was only able to use this vulnerability to leak the email credentials.PoC
An ebook can be crafted with Calibre to include this bare minimum script:
Impact
Users have to open a malicious file.
However, the attacker doesn't have to prepare a book specifically for
Kavita, but can use some fingerprinting to determine in what environment it's running.Distribution of malicious books could be done via pirate sites or even (online) conversion services, which could inject those malicious scripts.
Usually code execution within an admin session leads to remote code execution on the server itself because of too much exposed functionality via API endpoitns. However,
Kavitaseems quite solid in this regard.Overall, I wouldn't be too worried. :^)
Some ideas
In an ideal world, scripted content would be turned off (e.g. via an
iframe'ssanboxattribute).There are, however, limitations with that approach.
The author of
foliatesums it up nicely here.Maybe the user could be given the option to toggle scripted content.
Server-side sanitization is another option.
That's it! If something's unclear, please ask away.
Cheers
Frederic
PS: Audio warning for the PoC video!
kavita-xss.mp4