Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS and IFrame Injection Issues on v1.0.104 #740

Closed
metamorfosec opened this issue Aug 28, 2018 · 4 comments

Comments

Projects
None yet
3 participants
@metamorfosec
Copy link

commented Aug 28, 2018

(Redacted for now)

@laurent22

This comment has been minimized.

Copy link
Owner

commented Aug 28, 2018

If this is really a security issure it's not a proper way to disclose it. You should contact a dev or moderator first and give us time to fix the issue.

In which way can this trick be used to, for example, steal user data?

@metamorfosec

This comment has been minimized.

Copy link
Author

commented Aug 28, 2018

Hello..,

I planned to use Coordinated and Responsible Disclosure mechanism, but I saw your guideline here about how to report a bug and I decided to follow it. Maybe the guideline need to be revised to prevent any misunderstanding in the future.

All my previous payloads are non-intrusive. Maybe you are still not completely fix issue #500 since I can still trigger the JS alerts although I cannot prove any user data could be stealed.

Regards.

@tessus

This comment has been minimized.

Copy link
Collaborator

commented Aug 29, 2018

@laurent22, did you see what I sent you on discourse?

@laurent22

This comment has been minimized.

Copy link
Owner

commented Sep 9, 2018

HTML support is a feature, not a bug and while you can indeed add a lot of random broken things in a note via HTML it's not proven that it can be exploited to either access the user system or view/change user data. Any access from HTML to Joplin or to the system is filtered (via a white list) so normally it's not possible to call arbitrary functions.

I'm not saying there's definitely no security issue but the above post doesn't prove there is one, and I can't think how the feature can be exploited so for now I'm closing the issue.

@laurent22 laurent22 closed this Sep 9, 2018

@laurent22 laurent22 added security and removed question-w4f labels Sep 9, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.