New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Stored XSS in main page #1358
Comments
|
Hey thanks! yeah interesting, If i just click on the link, I get |
|
Yeah I know. That's why I specified that thing. It's a security measure taken by the modern browsers, but if you use an older one it will execute normally. (Even if I normally click it with ctrl pressed Can you give some info on the versions affected? You are the one knowing the entire codebase :P |
|
Hmm i'm wondering if a better future-proof fix is to only allow |
|
Strongly agreed. |
|
@edoardottt whats your thoughts on #1359 ? I guess this is kinda mitigated by the fact that you'de need to ctrl+click on it |
|
@edoardottt this is further mitigated by the 'share' receiving server now checking for 'javascript:' , so it wont be possible to share that kind of URL, so you'de have to paste that URL in (which is possible I guess) https://changedetection.io/share/LpbICKx5Rbca was deleted from the share database |
|
I can confirm the share feature is behaving correctly handling |
|
For the sake of completeness, this attack can be carried out also using the but now it looks fixed |
|
Another idea, since in |
|
go easy on the emoticons :) yeah but that should be resolved on that PR, I'll merge it in and make a release |
Describe the bug
It's possible to inject arbitrary Javascript code in the main page of changedetection.io. This can result in a stored cross site scripting attack. Since in
/settings#apiit's exposed the plaintext API Key, the attacker can read also the api key with an XSS attack.Version
I'm using v0.39.20.4, but I'm sure other version could be affected as well.
To Reproduce
Steps to reproduce the behavior:
javascript:alert(document.domain)Reproduce the vulnerability with https://changedetection.io/share/LpbICKx5Rbca
Expected behavior
javascriptprotocol should be blocked likefile://for security reasons.Screenshots

Desktop (please complete the following information):
Linux edoardottt 5.19.0-29-genericThe text was updated successfully, but these errors were encountered: