Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS and HTML Injection on Create Shopping List & shopping list item notes (Rendered upon deleting it) #996

Closed
muffyhub opened this issue Sep 8, 2020 · 7 comments
Labels
Milestone

Comments

@muffyhub
Copy link

muffyhub commented Sep 8, 2020

Edit by @berrnd:

Just to note that here:
I don't consider this critical for grocy, this cannot be done unauthenticated, grocy is not an application you (should) host publicly (means without authentication) on the internet.


Vulnerability Name: Stored Cross Site Scripting & HTML Injection

Vulnerability Description: grocy household management solution v2.7.1, allows stored XSS and HTML Injection, via Create Shopping List module, that is rendered upon deletiing that Shopping List.
Cross Site Scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to the web application. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
HTML injection occurs when a user is able to control an input point and is able to inject arbitrary HTML code into a vulnerable web page. Consequences can be disclosure of a user's session cookies that could be used to impersonate the victim, or, more generally, it can allow the attacker to modify the page content seen by the victims.

Vulnerable URL: http://127.0.0.1/shoppinglist/new

Payload:

1. <marquee onstart=alert(document.cookie)> 
2. <h1>HTML Injection</h1>

Steps to Reproduce:

  1. Login to the application
  2. Go to 'Shooping List' module
  3. Click on 'New Shopping List' module
  4. Enter the payload: in 'Name' input field.
  5. Click Save
  6. Click 'Delete Shopping List'
  7. Request:
    POST /api/objects/shopping_lists HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
    Accept: /
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Referer: http://127.0.0.1/shoppinglist/new
    Content-type: application/json
    Content-Length: 38
    Connection: close
    Cookie: grocy_session=GhIjKZyST7Qkx18Q97u9MaPM1LsMtBmcJ6I59gxTO3Ks4WJXUd
    {"name":" "}

@berrnd berrnd added the ui-bug label Sep 8, 2020
@berrnd berrnd added this to the v3.0.0 milestone Sep 8, 2020
@berrnd
Copy link
Member

berrnd commented Sep 8, 2020

Merged #991 into this.

So this also affects shopping list item notes.

@berrnd berrnd changed the title XSS and HTML Injection on Create Shopping List (Rendered upon deleting it) XSS and HTML Injection on Create Shopping List & shopping list item notes (Rendered upon deleting it) Sep 8, 2020
@fipwmaqzufheoxq92ebc
Copy link
Contributor

fipwmaqzufheoxq92ebc commented Sep 8, 2020

I can reproduce this also on: users, batteries, chores, equipment, locations, quantity units, shopping locations, tasks, taskcategories, product groups, recipes, products

(For all: add an item named <marquee onstart=alert(document.cookie)> , save and try to delete it)

For recipes: you can also use a product named <marquee onstart=alert(document.cookie)> as ingredient and delete it from the ingredient list (or an included recipe named so)

@fipwmaqzufheoxq92ebc
Copy link
Contributor

via API or JS-Console:
Grocy.Api.Put('objects/shopping_lists/1', {"description":" <marquee onstart=alert(document.cookie)> "})
and then open the shopping list
or
Grocy.Api.Put('objects/recipes/2', {"description":" <marquee onstart=alert(document.cookie)> "})
and then open the recipe (in recipes list or in recipe form)

Create a userfield, e.g. for products, use USERFIELD_TYPE_PRESET_CHECKLIST ( = "Select list (multiple items can be selected)"), add <marquee onstart=alert(document.cookie)> as value, choose "Show in tables", and then edit any product, check the field, and open the stockoverview

@berrnd
Copy link
Member

berrnd commented Sep 8, 2020

I fixed some parts of the mentioned places, see the referenced commits above. Maybe filtering the input before saving it (so mostly in the "Generic entity interactions" API routes") would be better...

berrnd added a commit that referenced this issue Oct 14, 2020
This reverts commit 0df2590.

Revert "Excape shopping list item notes (references #996)"

This reverts commit 0624b0d.
berrnd added a commit that referenced this issue Oct 14, 2020
@berrnd
Copy link
Member

berrnd commented Oct 14, 2020

I think this should now be resolved, I've added fiiltering of the whole request body for all API routes in c110014.

Feel free to play around with it on the pre-release demo and let me know here if you find any other/leftover places where this is still possible.

@berrnd berrnd closed this as completed Oct 14, 2020
@kriddles
Copy link
Contributor

I think this should now be resolved, I've added fiiltering of the whole request body for all API routes in c110014.

Feel free to play around with it on the pre-release demo and let me know here if you find any other/leftover places where this is still possible.

Not sure if it's related but on the pre-release demo I cannot edit stock entries anymore.

@berrnd
Copy link
Member

berrnd commented Oct 15, 2020

Not sure if it's related but on the pre-release demo I cannot edit stock entries anymore.

Maybe, I added to use htmlpurifier to just filter all request body properties (code ref), so maybe this breaks/removes something which is not "bad HTML"...

Moved this to #1055.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

No branches or pull requests

4 participants