New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS and HTML Injection on Create Shopping List & shopping list item notes (Rendered upon deleting it) #996
Comments
|
Merged #991 into this. So this also affects shopping list item notes. |
|
I can reproduce this also on: users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes, products (For all: add an item named For recipes: you can also use a product named |
|
via API or JS-Console: Create a userfield, e.g. for products, use USERFIELD_TYPE_PRESET_CHECKLIST ( = "Select list (multiple items can be selected)"), add |
|
I fixed some parts of the mentioned places, see the referenced commits above. Maybe filtering the input before saving it (so mostly in the "Generic entity interactions" API routes") would be better... |
|
I think this should now be resolved, I've added fiiltering of the whole request body for all API routes in c110014. Feel free to play around with it on the pre-release demo and let me know here if you find any other/leftover places where this is still possible. |
Not sure if it's related but on the pre-release demo I cannot edit stock entries anymore. |
Maybe, I added to use htmlpurifier to just filter all request body properties (code ref), so maybe this breaks/removes something which is not "bad HTML"... Moved this to #1055. |
Edit by @berrnd:
Just to note that here:
I don't consider this critical for grocy, this cannot be done unauthenticated, grocy is not an application you (should) host publicly (means without authentication) on the internet.
Vulnerability Name: Stored Cross Site Scripting & HTML Injection
Vulnerability Description: grocy household management solution v2.7.1, allows stored XSS and HTML Injection, via Create Shopping List module, that is rendered upon deletiing that Shopping List.
Cross Site Scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to the web application. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
HTML injection occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. Consequences can be disclosure of a user's session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.
Vulnerable URL: http://127.0.0.1/shoppinglist/new
Payload:
Steps to Reproduce:
Request:
POST /api/objects/shopping_lists HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/shoppinglist/new
Content-type: application/json
Content-Length: 38
Connection: close
Cookie: grocy_session=GhIjKZyST7Qkx18Q97u9MaPM1LsMtBmcJ6I59gxTO3Ks4WJXUd
{"name":" "}
The text was updated successfully, but these errors were encountered: