Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross-Site-Scripting vulnerability via crafted ebooks #110

Open
theGEBIRGE opened this issue May 7, 2024 · 0 comments
Open

Cross-Site-Scripting vulnerability via crafted ebooks #110

theGEBIRGE opened this issue May 7, 2024 · 0 comments

Comments

@theGEBIRGE
Copy link

Hey, I've discovered a vulnerability in flow. I'm sticking to GitHub's default template for advisories (maybe consider adding a SECURITY.md):

Summary

Opening an ebook with malicious scripts inside leads to script execution inside the current browsing context.

Details

Because of the epub.js configuration option allowScriptedContent = true, it is possible to execute arbitrary JavaScript code from within an epub file:

flow/apps/reader/src/models/reader.ts

Line 366 in 08b7bb1

allowScriptedContent: true,

epub.js itself uses an iframe to display the epubs. While it does set the sandbox attribute, it also sets allow-same-origin. This can't be changed by the consumer of the library. A combination of allow-scripts and allow-same-origin renders the sandboxing obsolete (see here).

The developers of epub.js warn about this.

PoC

An ebook can be crafted with Calibre to include this bare minimum script:

<script>
(async function() {
  console.warn("Hello from", document.domain);

  const img = document.createElement('img');
  img.src = 'https://miro.medium.com/v2/resize:fit:679/1*Rn01P34tQ1Y84T_duyE3CQ.gif';
  img.style.position = 'fixed';
  img.style.top = '0';
  img.style.left = '0';
  img.style.width = '100%';
  img.style.height = '100%';
  img.style.zIndex = '9999';

  document.body.prepend(img);
})();
</script>

That's it!

Impact

Users have to open a malicious book.
However, the attacker doesn't have to prepare a book specifically for flow, but can use some fingerprinting to determine in what environment it's running.

Distribution of malicious books could be done via pirate sites or even (online) conversion services, which could inject those malicious scripts.

Because of the nature of flow as a standalone browser app, there aren't many dangerous things an exploit could do. I don't know how the Dropbox authentication works, but maybe stored cookies or tokens inside LocalStorage could be exfiltrated.

This is pure speculation, though, as I don't have a Dropbox account to verify it.

Overall, I wouldn't be too worried. :^)

Some ideas

In an ideal world, scripted content would be turned off. There are, however, limitations with that approach.
The author of foliate sums it up nicely here.
Maybe the user could be given the option to toggle scripted content.

That's it! If something's unclear, please ask away.

Cheers
Frederic

PS: Audio warning for the PoC video.

flow-xss-poc.mp4
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@theGEBIRGE