Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Submission of HTML files (XSS) #10845

Closed
ShlomoCode opened this issue Aug 17, 2022 · 3 comments
Closed

Submission of HTML files (XSS) #10845

ShlomoCode opened this issue Aug 17, 2022 · 3 comments
Assignees
@julianlam
Labels
bug
Milestone
2.4.3

Comments

@ShlomoCode
Copy link

ShlomoCode commented Aug 17, 2022
edited
Loading

NodeBB version

No response

NodeBB git hash

No response

NodeJS version

No response

Installed NodeBB plugins

No response

Database type

MongoDB

Database version

No response

Exact steps to cause this issue

Drag an html file into a post. If the html extension is authorized for uploading, the file will be uploaded to the forum server and will be available for viewing.

What you expected

The file will be available, but when you click on it, the file will download to the computer, and will not open in the browser.

What happened instead

The file opens in the browser under the domain of the forum - for example:
https://my-nodebb.com/assets/uploads/files/1660777474710-file-name.html

I can inject malicious code into an HTML file, then another user logs in, and since it's on the same domain as the forum - https://my-nodebb.com, the code will be able to make API requests on behalf of the logged-in user.

Just as a small example:

    <script>
        (async ()=>{
            console.log(await (await fetch('/api/flags')).json())
        })()
    </script>

This is a harmless example, but just as well you can do almost anything!

Anything else?

The logic of downloading instead of viewing can be achieved by the reverse proxy such as nginx. But I think this ability should be built in.
Thanks!
@ShlomoCode ShlomoCode added the bug label Aug 17, 2022
@julianlam julianlam self-assigned this Aug 18, 2022
@julianlam julianlam added this to the 2.4.3 milestone Aug 18, 2022
@julianlam
Copy link
Member

Thanks @ShlomoCode, this is now resolved and will be released shortly. By default we do not allow for the uploading of html files, and so that proves to be a sensible default.

As of 2.4.3, any html files uploaded will be automatically downloaded instead of displayed inline.

I should warn that if you use a reverse proxy, you'll need to set additional rules to prevent the inline opening of html files.

@ShlomoCode
Copy link
Author

I should warn that if you use a reverse proxy, you'll need to set additional rules to prevent the inline opening of html files.

Could you please explain?

@julianlam
Copy link
Member

You need to define the rules to send the Content-Disposition header. NodeBB cannot do it when nginx/etc acts as a reverse proxy in front.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@julianlam julianlam

Labels
bug
Projects
None yet
Milestone
2.4.3
Development

No branches or pull requests
2 participants
@julianlam @ShlomoCode