Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

XSS to code execution vulnerability #109

Closed
silviavali opened this issue Dec 1, 2017 · 4 comments
Closed

XSS to code execution vulnerability #109

silviavali opened this issue Dec 1, 2017 · 4 comments

Comments

@silviavali
Copy link

Hello,

I would like to report a XSS vulnerability in your application that leads to code execution.
I have a working poc that I dont want to post publicly.
Please contact me at silviavali14@gmail.com
@silviavali
Copy link
Author

Update: within 90 days from 1 of December (time of reporting) I would post a full disclosure on the issue in my blog. You have a good numbers in terms of user base according to the stars you have received in Github for this project, so it would only be fair to the users if a fix was deployed that would prevent the code execution from occuring.

Report is still waiting to be sent.
Thanks

@atuttle
Copy link

atuttle commented Jan 12, 2018

Props for good disclosure practices. @luin please contact her!

@silviavali
Copy link
Author

silviavali commented May 10, 2018
edited
Loading

"XSS vulnerability evolving into code execution due to enabled nodeIntegration for the renderer process"

Initially reported: 09.nov 2017
Vulnerability disclosed: 10th of May 2018 due to no response from the project owner
Description of the application: Medis – an easy-to-use Redis management application
Version: 0.6.1 and earlier

Vulnerable field: key name parameter on new key creation

Problem: Application does not properly encode user input when displaying back the key name value submitted by the user. As this XSS presents itself within the BrowserWindow instance where nodeIntegration in webPreference options has been set to True, attacker has access to requiring node modules (access to operating system native primites). In Electron applications XSS along with nodeIntegration:True option is considered a very dangerous combination and should be something to be cautious about.

How to reproduce:
Start redis (used localhost): redis-server
Start the app:npm run electron

  1. Fill in name, redis host and port -> Click Connect.
    medis

  2. Click to add a new key:
    medis

  3. Payload for the key name:
    <s <onmouseover="alert(1)"> <s onmouseover="var {shell} = require('electron'); shell.openExternal('file:/etc/passwd'); alert('XSS to RCE')">Hallo</s>
    medis

  4. Create Key. After creating the key, user is shown the created key name in selection.
    medis

If the user now hovers over the key name, the payload gets executed, which will pop-up an alert box and open the „/etc/passwd” file from the user’s machine.
medis

DOM:
medis

Still hoping for this vulnerability to be fixed though! :) Thanks

@luin luin closed this as completed in 89e000d May 22, 2019
@luin
Copy link
Owner

luin commented May 22, 2019

@silviavali I didn't notice this issue and I'm really sorry for that. The issue have been fixed. Thank you for pointing this out ❤️ .

loocao pushed a commit to loocao/medis that referenced this issue Nov 11, 2019
@luin
fix(security): XSS to code execution vulnerability
3bda9fa 
Closes luin#109
luin added a commit that referenced this issue Mar 21, 2020
@luin
fix(security): XSS to code execution vulnerability
37d6de9 
Closes #109
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@atuttle @luin @silviavali