New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability report - please contact #500

Closed
silviavali opened this Issue May 8, 2018 · 4 comments

Comments

Projects
None yet
3 participants
@silviavali

silviavali commented May 8, 2018

I would like to report a vulnerability. Could you please contact me on silviavali14@gmail.com as I did not manage to find any e-mail from your repo to contact you.

Best,
Silvia

@laurent22

This comment has been minimized.

Owner

laurent22 commented May 8, 2018

Contacted, and keeping the issue open for further reference.

@laurent22 laurent22 added the security label May 8, 2018

@laurent22 laurent22 closed this in 494e235 May 9, 2018

@laurent22

This comment has been minimized.

Owner

laurent22 commented May 9, 2018

Fix will be available in next release.

@laurent22 laurent22 reopened this May 9, 2018

@foxmask

This comment has been minimized.

Collaborator

foxmask commented May 10, 2018

1.0.90 released

@foxmask foxmask closed this May 10, 2018

@silviavali

This comment has been minimized.

silviavali commented May 10, 2018

"XSS vulnerability evolving into code execution due to enabled nodeIntegration for the renderer process"

Fixed in version 1.0.90
Vulnerable field: Note content field

As Electron-based applications are built using web technologies like HTML, CSS and JS, they
are also prone to be vulnerable to web-based attacks. If a cross-site scripting vulnerability (XSS) is
found in an Electron application, where node integration has been enabled for that particular BrowserWindow instance (XSS+under webPreferences nodeIntegration:True), the attacker has the capability to require node modules like 'os', etc. ..., hence access operating system native primitives. This allows XSS in Electron applications to evolve into code execution.

Payload used for poc:
"><img src=1 onerror="var os = require('os'); var hostname = os.platform(); var homedir = os.homedir(); alert('Host:' + hostname + 'directory: ' + homedir);">

joplin2

Good reference to Electron related issues:
https://www.blackhat.com/docs/us-17/thursday/us-17-Carettoni-Electronegativity-A-Study-Of-
Electron-Security-wp.pdf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment