Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] XSS leading to code execution #42

Open
thefLink opened this issue May 17, 2018 · 1 comment
Open

[Security] XSS leading to code execution #42

thefLink opened this issue May 17, 2018 · 1 comment
Labels

Comments

@thefLink
Copy link

Description
A XSS vulnerability exists that leads to arbitrary code execution

Version

  • Version 0.0.3
  • Tested on: Linux

To reproduce
Steps to reproduce the behavior:

  1. Create a new task
  2. Add this to the details:
<img src="asdf" onerror="var os = require('os'); var hostname = os.platform(); var homedir = os.homedir(); alert('Host:' + hostname + 'directory: ' + homedir);">
  1. See the popup
    xss_akiee
    xss_akiee2

Expected behavior
This cross site scripting vulnerability allows an attacker to execute arbitrary code on the victims machine by tricking his victim into opening a crafted liveflow.md that looks like this

# Inbox 
## TODO test_task_1_xxx <img src="asdf" onerror="var os = require('os'); var hostname = os.platform(); var homedir = os.homedir(); alert('Host:' + hostname + 'directory: ' + homedir);">
RANK: 1

In the worst case this will lead to a reverse shell. I am not going to paste the code for the reverse shell here for obvious reasons.

@rockiger rockiger added the bug label Jun 13, 2018
@digitalethics
Copy link

@rockiger Could you address this with a new release? It looks like this has not been fixed yet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants