New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored-XSS vulnerability lead to remote code execution #5397

Open
math1as opened this Issue Sep 3, 2018 · 1 comment

Comments

3 participants
@math1as

math1as commented Sep 3, 2018

  • Gogs version (or commit ref): <= 0.11.53.0603
  • Can you reproduce the bug at https://try.gogs.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist (usually found in log/gogs.log):

Description

there is no x-content-type-options:nosniff header when viewing raw file.
caused mime type sniffing in some browsers , finally it turns into a stored-xss vulnerability.
although there is http-only flag in cookie , attacker could still get CSRF token , and edit the pre-receive script to carry out remote code execution attack.
I could perform this attack in IE11/10 and other browsers using IE core.

POC

TESTEML
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

=3Ciframe=20src=3D=27https://try.gogs.io/mathiaswu/33323/raw/master/1221.html=27=3E=3C=2Fiframe=3E

save it to .eml file , and open it in IE11

xss-gogs

Patch

add x-content-type-options:nosniff header to prevent browser from mime type sniffing , just as github / gitlab would do.

Discoverer

Wenxu Wu of Tencent's Xuanwu Lab

@math1as math1as changed the title from Stored-XSS vulnerability in viewing raw file. to Stored-XSS vulnerability lead to remote code execution Sep 3, 2018

@cezar97

This comment has been minimized.

Show comment
Hide comment
@cezar97

cezar97 Sep 3, 2018

Thanks @math1as! I noticed this too but never bothered digging :)

cezar97 commented Sep 3, 2018

Thanks @math1as! I noticed this too but never bothered digging :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment