You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Drag an html file into a post. If the html extension is authorized for uploading, the file will be uploaded to the forum server and will be available for viewing.
What you expected
The file will be available, but when you click on it, the file will download to the computer, and will not open in the browser.
What happened instead
The file opens in the browser under the domain of the forum - for example: https://my-nodebb.com/assets/uploads/files/1660777474710-file-name.html
I can inject malicious code into an HTML file, then another user logs in, and since it's on the same domain as the forum - https://my-nodebb.com, the code will be able to make API requests on behalf of the logged-in user.
Thanks @ShlomoCode, this is now resolved and will be released shortly. By default we do not allow for the uploading of html files, and so that proves to be a sensible default.
As of 2.4.3, any html files uploaded will be automatically downloaded instead of displayed inline.
I should warn that if you use a reverse proxy, you'll need to set additional rules to prevent the inline opening of html files.
NodeBB version
No response
NodeBB git hash
No response
NodeJS version
No response
Installed NodeBB plugins
No response
Database type
MongoDB
Database version
No response
Exact steps to cause this issue
Drag an html file into a post. If the html extension is authorized for uploading, the file will be uploaded to the forum server and will be available for viewing.
What you expected
The file will be available, but when you click on it, the file will download to the computer, and will not open in the browser.
What happened instead
The file opens in the browser under the domain of the forum - for example:
https://my-nodebb.com/assets/uploads/files/1660777474710-file-name.html
I can inject malicious code into an HTML file, then another user logs in, and since it's on the same domain as the forum -
https://my-nodebb.com
, the code will be able to make API requests on behalf of the logged-in user.Just as a small example:
This is a harmless example, but just as well you can do almost anything!
Anything else?
The logic of downloading instead of viewing can be achieved by the reverse proxy such as nginx. But I think this ability should be built in.
Thanks!
The text was updated successfully, but these errors were encountered: