New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SCEditor - Cross-site Scripting (XSS) - Fix: #767
Conversation
Merging fix - on-behalf of @mufeedvh, executed by huntr.dev (023-js-sceditor).
@brunoais @samclarke - any updates on this? |
I'm not the keeper of the code so I won't approve this big change. |
@brunoais - thank you for the swift response! ⚡️ Please see the comments by the fixer below:
|
@JamieSlome :
|
@JamieSlome I think this isn't going anywhere. |
Hello @brunoais,
XSS aka Cross-site Scripting is a vulnerability occurring on the client-side (browser part) not the server-side of a web application. It occurs when user input is given a JavaScript code as value and the web application doesn't sanitize or escape the input which results in executing the particular JavaScript code on the front-end of the web application.
This commit is the fix for the XSS Vulnerability that SCEditor suffers. 📎 For Example: A web application accepts a value from an input field for entering our name: Entering a JavaScript code instead of our name as value: ( How did it reflect on the client-side: 💀 Impact of an XSS Vulnerability: The impact of an exploited XSS vulnerability on a web application varies a lot. It ranges from user's Cookie Hijacking, and if used in conjunction with a social engineering attack it can also lead to the disclosure of sensitive data, CSRF attacks, and other security vulnerabilities.
Here you go, a Proof of Concept from the finder itself, it also has an assigned CVE: 📚 For Reference:
Thanks & Regards, |
To show you how wrong you are: OK, jokes asside: SCE, by definition, cannot suffer from XSS because all its code is run on the client side. This library only brings extra processing that is exclusively security theatre. About the CVE you set:
is wrong (my emphasis). There is no web page generation process done by SCE. At least not according to their own definition.
If so, then provide a reproducible example of the vulnerability in action. I.e. something I can try myself to confirm. If I can reproduce, I can consider myself wrong. Until then, I will need user interaction steps to cause XSS that doesn't depend on an XSS nor stored XSS vulnerability in the server and isn't easily overturned by doing something similar. All the sources you have shown are cross-referencing each other. Also all of them allow free entry. I.e. everybody can submit to them.
What about this?
Or (I don't need the iframe at all):
Am I missing something here? |
Hi @brunoais, You are not getting the point. And it seems like you don't know much about Web Application Security or XSS (Cross-site Scripting) in general. So I am gonna answer all your questions one-by-one. :)
I am not.
My friend, I was just showing you an example of what XSS is. It is not SCEditor nor is it associated with it. It is just an example. And again, XSS is not a server-side vulnerability, it's a client-side vulnerability that happens due to improper validation of user input (ie: sanitization or escaping).
To achieve an XSS attack, you don't need any interaction with the server, it's all on the client-side. If you think I am wrong, read this. And I don't know what is security theatre as you've stated. I assume you meant "security threat", I have stated about the impact of XSS in my previous comment.
I am not the one who set the CVE, it's the CVE publishers who do. And also, only valid vulnerability submissions get a CVE ID assigned so do you know what that means? SCEditor suffers from XSS. Learn about CVEs here
There is no need for a "web page generation process" to achieve an XSS attack. If a web application prints out a user input or even previews it without "reloading" or "web page generation", it is technically vulnerable to XSS except if the input is sanitized or escaped.
That's not supposed to happen. You can checkout CKEditor, a similar project which had suffered XSS vulnerabilities multiple times and they have fixed them too. For reference: https://snyk.io/vuln/SNYK-JS-CKEDITOR-72618
This vulnerability exists and that's how it got a CVE assigned. You can reproduce it with the following steps from the original Proof of Concept.
Well yes, that Proof of Concept shows that the vulnerability exists on the If you want to know how this issue has been fixed: checkout 418sec#2 And also this vulnerability is similar to #753 but not the same. :) I have answered all your questions one-by-one, also I suggest you to check out the OWASP XSS Page where you can learn about XSS (Cross-site Scripting) attacks thoroughly. :) Thanks & Regards, |
Yes please.
If you are showing me that the vulnerability is in the client, why are you showing me a vulnerability in the server?
There is one detail I failed. If the javascript reads data directly from the URL or from cookies and pasts it using
I actually meant security theatre.
I don't think they spent any time confirming the claims and I believe they just assumed the claims were correct. Only javascript calling functions were given here. If you can call javascript functions, you can already do anything beyond what SCE does. SCE can't stop an attacker that can already run whatever js he wants.
OK thanks. So there's some level of review... Given how this happened... I don't think they did any check whether the claims are correct. They only checked if the claim itself was sound.
If that's so, show me a couple of examples. If there's a vulnerability, first you prove it exists. Why all this discussion and no examples of the vulnerability?
For reference: ckeditor/ckeditor4#1876 (comment) Is the fist fix mentioned in 4.11.0 what you mean?
Where are the reproduction steps?
In order for
I see... That does need to be addressed. Why didn't you give me an example in the first place?!?! For me to merge, solve each problem individually and at the source of the problem. Not after it has gone into the program. Change the input types:
That's the main idea. |
Hi @brunoais, Thanks for the quick response. :)
I used DOMPurify so that it would accept HTML content and strips out everything (JavaScript code) that could cause an XSS Vulnerability. I guess that's a good fix. While fixing the issue, the only information I depended on was the original proof of concept and CVE notes from other resources, so I only focused on fixing the issue on the function itself.
Oh yes, so I guess you're saying that the input should be escaped before it is thrown into the |
In the cases I found, such logic is not needed. Only the generated HTML needs to be changed. By changing the Let me know if there's still gaps after such actions |
How can an input tag's type attribute say changing to |
In an input that expects a number like weight/height of an image, you may just force the input to only accept numbers. There are many other input types. Here's two examples for url and number. If you try to input anything besides the valid for the given type, an error appears. |
SCEditor is an At this point, I think we should wait for @samclarke thoughts on this issue. :) Thanks |
OK. We wait for @samclarke . He has been quite unresponsive, unfortunately. |
Couldn't this be fixed with the built in escaping methods as seen in #763? |
Thanks for the PR and sorry for taking so long to reply. This PR would fix for the affected commands but if dompurify is going to be included it would probably make more sense to do the filtering inside There is another possible solution which would be to make commands use In the case of BBCode that should be completely safe as it takes BBCode and which is parsed and converted into HTML, escaping anything dangerous, before being inserted. For the XHTML format to be secure it would either need extra attribute filters (not ideal), to use a comprehensive whitelist (good and is supported but isn't currently done by default) or to use dompurify (also good). Using Using dompurify should make using |
I've created a branch based off this PR to see what impact using dompurify internally would have. It adds ~7kb to the compressed size and adds a dependency but should make all methods of inserting HTML safe from XSS so might be the better choice. |
https://github.com/mufeedvh fixed the vulnerability associated with Cross-site Scripting (XSS).
This fix is being submitted on behalf of https://github.com/mufeedvh - they have been awarded $25 for fixing the vulnerability through the huntr bug bounty program.
Think you could fix a vulnerability like this - get involved (https://huntr.dev).
Q | A
Version Affected | ALL
Bug Fix | YES
Further References | 418sec#2