Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open Redirect / XSS via iframe with sandbox. #1263

Open
Ry0taK opened this issue Aug 21, 2019 · 5 comments
Open

Open Redirect / XSS via iframe with sandbox. #1263

Ry0taK opened this issue Aug 21, 2019 · 5 comments

Comments

@Ry0taK
Copy link
Contributor

Ry0taK commented Aug 21, 2019

Summary

This is similar issue to #959, but different cause.
Due to sandbox attribute is allowed, attacker can redirect victim to something malicious if attacker embeds iframe with allow-top-navigation in sandbox attribute.
#959 won't work in Chrome because of their security, but this will work due to sandbox is whitelist attribute.
This will be XSS in Safari by using data scheme.

Step to reproduce

  1. Type <iframe src="https://example.com/hackmd.html" sandbox="allow-scripts allow-top-navigation allow-scripts"></iframe> in Editor. (It doesn't work because my domain is expired.)
  2. View edited page.

PoC
(This PoC will redirect you to example.com)

CVE

CVE-2019-15499

Suggested fix

Don't allow sandbox attribute in public/js/render.js.

@Ry0taK
Copy link
Contributor Author

Ry0taK commented Aug 21, 2019

Can I request CVE number for this vulnerability?

@jackycute
Copy link
Member

Hi @Ry0taK,
Thanks for reporting this to us.
Yes, I think you can report to CVE, this should be fixed soon.

@Ry0taK
Copy link
Contributor Author

Ry0taK commented Aug 21, 2019

Hello @jackycute
Thank you for your reply.
I've requested CVE number to MITRE Corporation.

Regards,
RyotaK

@SpyroTEQ
Copy link

Hi,
I'm not a user of this codebase project (I ended up here through the CVE RSS), but I don't get why removing/disallowing the sandbox attribute will protect nor change anything?

This, served at http://victim.localhost/

<iframe src="http://attacker.localhost/contained.html">
</iframe>

With this evil contained page

<script>
window.top.location.href = 'https://example.com/';
</script>

Will also redirect top page to https://example.com/ ?! Why are things safer after the patch?

@jackycute
Copy link
Member

Hi @SpyroTEQ,

So disallowing sandbox attribute is the first step to prevent this vulnerability.
There is another issue to track #959

edgarogh pushed a commit to WartaPoirier-corp/codimd that referenced this issue Sep 21, 2021
…d-8.x

Update dependency mermaid to v8.10.1 (master)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants