Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security bug] Stored XSS Trigger for TA by user account #5266

Closed
humblelad opened this issue Apr 19, 2020 · 3 comments · Fixed by #6646
Closed

[Security bug] Stored XSS Trigger for TA by user account #5266

humblelad opened this issue Apr 19, 2020 · 3 comments · Fixed by #6646

Comments

@humblelad
Copy link

humblelad commented Apr 19, 2020

Describe the bug
This vulnerability can potentially enable any student to takeover the account of TA if they open the attachment as the cookie gets exposed.

A student logged in via username/password student:student has the ability to submit submissions for grading.

This can be then viewed by TA from their account via ta:ta . When they click on the file for grading, stored xss gets triggered.

Expected behavior
.svg files must be stopped from getting uploaded by any student during submissions.

To Reproduce
Steps to reproduce the behavior:

  1. As student login, via student:student

  2. Go here http://localhost:1501/s20/tutorial/gradeable/01_simple_python (as ex.)

  3. In the new submission upload the .svg file.
    The svg file can be created by saving as .svg
    Github doesn't allow attaching svg and neither its code so here is the link to create a sample malicious svg file.

  4. Login as ta and open the same for grading. The XSS gets triggered alerting the cookies.

Screenshots
Screenshot 2020-04-20 at 12 42 44 AM
Screenshot 2020-04-20 at 12 45 02 AM

Additional context
We may try to block .svg files from uploading and also try to drop the Content-Type: image/svg+xml.

Adding content-disposition: attachment as mentioned here may help for the mitigation.

@humblelad humblelad added the bug label Apr 19, 2020
@elihschiff
Copy link
Member

elihschiff commented Apr 19, 2020

Please do not post security related issues on the public issue tracker. For more information on how to report a security vulnerability on Submitty please read this file https://www.github.com/Submitty/Submitty/tree/master/VULNERABILITY_DISCLOSURE_POLICY.md

@humblelad
Copy link
Author

@elihschiff Ok. Sorry ! I will take care of it in the future.

@humblelad
Copy link
Author

Assigned CVE-2020-12882 to this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

Successfully merging a pull request may close this issue.

4 participants