Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cross-site Scripting (XSS) issue in media element #4394

Closed
intivesec opened this issue May 15, 2018 · 6 comments
Closed

Cross-site Scripting (XSS) issue in media element #4394

intivesec opened this issue May 15, 2018 · 6 comments

Comments

@intivesec
Copy link

I would like to request a security bug

What is the current behavior?
Tinymce is prone to inappropriate validation of user input in process of media element creation. Below I described PoC which shows a way to execute arbitrary JavaScript code - self XSS.

Steps to reproduce: (It can be tested at: https://codepen.io/tinymce/pen/NGegZK or http://fiddle.tinymce.com/, however this vulnerability behaves slightly different between those sites)

  1. Click Insert > Media

  2. Type "a" in source and change active tab to embed

picture1

  1. Edit generated by tinymce code by adding "onerror=alert(1) "

picture2

4. Create media element

picture3

What is the expected behavior?
After few JavaScript executions (1-5 times) media element becomes properly sanitised.
Moreover: After XSS executes, any try of editing malicious media element makes editor unresponsive for the user.

picture4

Which versions of TinyMCE, and which browser / OS are affected by this issue? Did this work in previous versions of TinyMCE?

Affected version: at least 4.7.11, 4.7.12
Tested Browsers: Chrome, Firefox
OS: macOS High Sierra

@Daijobou
Copy link

I think you are here maybe wrong. Yes, that can be a issue, but not must and have nothing to do with the editor itself, so I think.

  1. You and only you can insert this issue only for you self in your own browser. For other users insert a event onerror="" or onclick="" is maybe not a issue.

  2. After submit tinymce is not responsible for your content! Your own script must clean the recived text from bad things. Here you can use tools like HTMLPurifier or others. In fact everyone can manipulate with browser inspector or other tools the data before submit and after cleaning with tinymce or submit data without tinymce at all to your page.

@intivesec
Copy link
Author

@Daijobou: I am aware that my PoC described Self-XSS. If you are not recognising it as a vulnerability, I recommend you to watch this movie - "Self XSS we’re not so different you and I" https://www.youtube.com/watch?v=l3yThCIF7e4.

As long as tinymce is performing changes on user's input like input sanitisation then is responsible for action performed by sanitisation mechanisms and generated in result HTML code.

@Beuc
Copy link

Beuc commented Oct 3, 2019

Hi,
I'm part of the Debian Long Term Support team.
AFAICS this got assigned CVE-2019-1010091
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1010091

Do you know if this was fixed?
After a quick test I can't reproduce this on the version packaged in Debian (XSS not executed), although TinyMCE doesn't seem to clear onerror=alert(1) when added to the <video> (not <source>) element.

MITRE also mentions that the vector involves manually copy/pasting the payload, which means this is little different than copy/pasting JavaScript directly in the browser console.
Self-XSS typically involves automated inclusion of the payload through e.g. query string.

@intivesec
Copy link
Author

@Beuc: Below I put my way of reproducing it at https://codepen.io/tinymce/pen/NGegZK. It can be noticed that version 4.9.6 is still prone to what I described more than a year ago. I would also like to mention that the codepen used during tests is a TinyMCE Cloud demo - full featured example.

poc

@tinydylan
Copy link
Contributor

Hi,

When I add the code injection to the video element, TinyMCE now clears the onerror attribute.

I can reproduce the issue when adding onerror=alert(1) to the source element - the code is executed. This has been forwarded to our infosec team for review.

Thanks

@lnewson
Copy link
Contributor

lnewson commented Apr 23, 2020

This issue has been fixed in TinyMCE 5.2.2 and TinyMCE 4.9.10, which have now been released to the community. Thanks for letting us know about this issue and we're really sorry it wasn't picked up until recently. If you have any further issues, please let us know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants