New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS Vulnerability in ScenesController.js #3367
Comments
|
Thanks for the PR. It also seems not possible to change a name to a non-latin name Is there another solution ? |
|
Well, you're right. My focus was to (quick) fix the XSS-Vulnerability. Since now, i used encodeURI(), which escape not that much chars like encodeURIComponent(). Especially because (as you mentioned) some chars will be displayed as escaped chars. Browsing on OWASP sites, i found a library for special XSS escaping: Unfortunately I have not enough free-time space, to fix the XSS with propper presentation for the item.name . Maybe on a later point in time. I really recommend to you / the community to rewrite the hole mechanism of adding or let's say at least of displaying scenes in a safe way with escaping + good presentation for the name. |
|
@Frige1 , sure, but as this is a open source project, it would be great if you could contribute with a patch that don't break functionality |
|
Yeah you're right. I try to find some time till Sunday/Monday. |
|
Thanks , much appreciated ! |
|
I tried to understand the software better. Unfortunately, I cannot find any code documentation, so I had to reverse. Correct me, if there is some code documentation. I found some decoding methods for JSON and i believe it works like this (correct me please):
This is a problem not only for the ScenesController.js, this leads to a problem for the hole Webapp. You can test it, if you add a scene with the mentioned script. And open "localhost:8080/#/Devices" Well, I did not check all inputfields of forms, but i guess all inputfields can lead to an XSS, weather they got encoded/escaped or not. Last but not least: |
|
Reading and writing from and to the database is done in c++, no XSS there But reading and writing in the GUI is done via JavaScript |
|
Obviously, there is no XSS in c++. So parsing HTML with no escaping/encoding for variables with input from DB will always be an XSS in JS. |
|
Yep we are on the same line |
|
Oh well, this is a critical problem for the hole webapp. I see two options so far:
Looking forward for more ideas. |
|
@Frige1 , i think it is best to keep the JSON clean. |
|
Keep in mind, this will result in a persistent-XSS vulnerability. The attacker can store and will try spreading scripts in any place he can on the DB. At any time, someone write code for the frontend and miss script handling, will lead again to a XSS. I prefer escaped data through the frontend over the backend. And mobile applications, let's say android or iOS can decode json data. I cannot test it for iOS, but for android (mainly Java) i can say, there exist decode functions. |
|
I think we should keep je JSON output as it is... who knows what we will add in the feature abcd817#diff-d770ada4194786ba884ee2979332f94a This should prevent XSS attacks in the ScenesController Basically by Adding/Updating a Scene/Devices/... , you purify the Name with
|
|
Does this also prevent the same type of script injection in levelnames of a selector device or are more code changes required ? |
|
Okey, on second thought, it might be better to do this indeed in the backend in the add/update xx functions... |
|
@rwaaren , a lot of code changes are required... but I will try to do this in the backend... so when someone enters a malicious name, it will be sanitized |
|
@gizmocuz I tried this library and it looks good as a fix for this specific controller.js. But as you already mentioned, it should be better to clean up the stored/persistent XSS vulnerability as still exists. If I get more free time, I will continue my training/learning "angular". Maybe i find enough time to rewrite the frontend from JS controllers, to angular (TypeScript) as frontend. But i can promise nothing. One of the purpose of angular is the cross-site scripting security model. They view all inputs as untrusted by default. https://angular.io/guide/security Unless the community still wants to use javascript for the controllers and frontend. |
|
@Frige1 , For testing I added some code to Sanitize text in the C++ code. Currently it will strip tags ( between < and > ) containing the following text: for example "Hello<script>bladiebla< / script >" will be stripped down to "Hellobladiebla" Is it possible you could test this ? After this i will add this check in all add/update functions (lights/utilty etc anything stay stores names in Domoticz via the web interface) |
|
@Frige1 , a lot of GUI code is already in AngularJs and therefore probably not vulnerable |
|
Yeah i try to test it. Could you refer the commit, so i get an idea of the added code? |
|
Closing issue, should be resolved. Please feel free to continue if it's not |
Description
The ScenesController.js is vulnerable against XSS. By adding a scene with some scripts in the scene name will lead to a XSS.
Obviously this is thankful for an attacker if he is privilege to adding or edit scenes. The attacker can execute arbitrary code.
Affected Version
Current release 4.10717
Steps to Reproduce
./domoticzhttp://localhost:8080/#/Scenesin your browser.<script>alert("XSS");</script>Fix
Some
escape()is used in the ScenesController.js, but this XSS is still present. Escaping theitem.namefix the XSS. Furthermore useencodeURI()instead ofescape(). Theescape()function was deprecated in JavaScript v1.5.See PR #3368
The text was updated successfully, but these errors were encountered: