New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open Redirect / XSS via iframe with sandbox. #1263
Comments
|
Can I request CVE number for this vulnerability? |
|
Hi @Ry0taK, |
|
Hello @jackycute Regards, |
|
Hi, This, served at <iframe src="http://attacker.localhost/contained.html">
</iframe>With this evil contained page <script>
window.top.location.href = 'https://example.com/';
</script>Will also redirect top page to |
…d-8.x Update dependency mermaid to v8.10.1 (master)
Summary
This is similar issue to #959, but different cause.
Due to
sandboxattribute is allowed, attacker can redirect victim to something malicious if attacker embeds iframe withallow-top-navigationinsandboxattribute.#959 won't work in Chrome because of their security, but this will work due to
sandboxis whitelist attribute.This will be XSS in Safari by using data scheme.
Step to reproduce
<iframe src="https://example.com/hackmd.html" sandbox="allow-scripts allow-top-navigation allow-scripts"></iframe>in Editor. (It doesn't work because my domain is expired.)PoC
(This PoC will redirect you to example.com)
CVE
CVE-2019-15499
Suggested fix
Don't allow
sandboxattribute in public/js/render.js.The text was updated successfully, but these errors were encountered: