[CVE-2023-27075] Security issues for Stored XSS

[7a6163]

Hello, I found an XSS issue in the project.

Although there is nothing about authentication cookies, an attacker can redirect to a malicious site or insert malicious code.

Payload:

</script><script>alert('xss')</script>

Root cause:

microbin/src/pasta.rs

Line 147 in 84136f1

self.content.replace('`', "\\`").replace('$', "\\$")

[schrottkatze]

I've discovered that a while ago too and contacted the maintainer about it on the 2023-02-16., but they didn't respond yet.

If anyone is interested in a fork of microbin by... well, me (which fixes that and adds some other features that were requested here), here is the link to the repo: https://gitlab.com/obsidianical/microbin

[matze]

There are more severe things:

• The service is not handling invalid UTF-8 data well and panics. This keeps the lock on the "database" poisoned rendering the service inaccessible.
• The service keeps a lock while operating on its database, making async kind of pointless.
• The service serializes and writes the entire database file to disk each time a pasta is fetched. This will not scale well in the long run.

Disclaimer: I write a similar service …

[schrottkatze]

Microbins json database is a joke. I'm aware of that. It's kinda a high priority TODO for my fork at the moment.

How do I reproduce the UTF-8 data thing? I'm gonna look into fixing that ASAP if I can diagnose it

[matze]

How do I reproduce the UTF-8 data thing?

Paste invalid UTF-8 and you are good.

[schrottkatze]

I've tried crashing a local dev instance, and I haven't been able to, even after pasting a raw binary program, random bytes, and a stress tester file for invalid UTF-8. I don't think that'll cause many problems, since triggering this issue at all was quite impossible to me so far. If you can provide a sample of a string that does crash it, please do.

[matze]

It does not crash the entire server because actix installs a panic handler but it renders the upload and a few other endpoints useless. Try

wget https://www.cl.cam.ac.uk/~mgk25/ucs/examples/UTF-8-test.txt
curl -F "expiration=10min" -F content=@UTF-8-test.txt -X POST http://0.0.0.0:8080/upload

From now on, every time you try to paste something either via the REST endpoint or the UI, it will fail with

thread 'actix-rt|system:0|arbiter:0' panicked at 'called `Result::unwrap()` on an `Err` value: PoisonError { .. }', src/endpoints/create.rs:40:41

Edit: also the List and Info endpoints do not work anymore.

[schrottkatze]

While there seems to be an error, pasting still seems to work on my fork. It seems that I fixed the problem preventing pasting (by accident)

The fix seems to have been that I switched to an async aware mutex for another unrelated reason, which seems to unlock after a thread crashes.

[ldpr]

@szabodanika, apologies for tagging you. With this CVE in the wild for a month, should we consider this project unmaintained? Apologies for being blunt, I love the tool and just wanted to know the status :)

[szabodanika]

Thanks a lot @7a6163 for #143! I apologise, I had to put aside personal projects as I was very busy with work and studies. I am back on working on v1.3.0 release now, cleaning up backlog in priority order. I am an active user of this software, therefore it will never be abandoned.