Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SImiik <=v1.6.2.1 xss + rce #123

Closed
deFming opened this issue Apr 15, 2019 · 1 comment
Closed

SImiik <=v1.6.2.1 xss + rce #123

deFming opened this issue Apr 15, 2019 · 1 comment

Comments

@deFming
Copy link

deFming commented Apr 15, 2019

1.XSS

Examples:

python3 -m simiki.cli new -t "Hello Simiki<svg/onload=alert(1)>" -c first-catetory

python3 -m simiki.cli g
python3 -m simiki.cli p

1A97EE8D-3F95-4910-BB9B-78D6F533093D

The affected file appears to be
https://github.com/tankywoo/simiki/blob/master/simiki/generators.py Line 54

By default, jinja2 sets autoescape to False. Consider using autoescape=True or use the select_autoescape function to mitigate XSS vulnerabilities.

2.RCE

https://github.com/tankywoo/simiki/blob/master/simiki/config.py line 64
Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().

This can lead to remote code execution.

When simiki loads a malicious _config.xml file.

Payload:

!!python/object/new:os.system ["/Applications/Calculator.app/Contents/MacOS/Calculator"]

When using smiik again, smiik will load _config.yml and cause remote code execution
image

@deFming deFming changed the title Smiik v1.6.2.1 xss + rce Smiik <=v1.6.2.1 xss + rce Apr 15, 2019
@deFming deFming changed the title Smiik <=v1.6.2.1 xss + rce SImiik <=v1.6.2.1 xss + rce Apr 15, 2019
@tankywoo
Copy link
Owner

Thanks for your report.

The first problem, enable autoescape need theme also add safe, and I will fix it later.

The second problem was fixed in version 1.6.2.2.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants