exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Gogs Markdown Renderer Cross Site Scripting

Gogs Markdown Renderer Cross Site Scripting
Posted Nov 14, 2014
Authored by Timo Schmid, Pascal Turbing, Jiahua Chen

Gogs markdown renderer suffers from a cross site scripting vulnerability. Versions 0.3.1-9-g49dc57e are affected.

tags | exploit, xss
advisories | CVE-2014-8683
SHA-256 | f4ed141215063e5aa1d383bf0253f2da4d53f16ac3236dd18eebfb6ef1c26dc4
Download | Favorite | View

Gogs Markdown Renderer Cross Site Scripting

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

XSS in Gogs Markdown Renderer
=============================
Researcher: Timo Schmid <tschmid@ernw.de>


Description
===========
Gogs(Go Git Service) is a painless self-hosted Git Service written in
Go. (taken
 from [1])

It is very similiar to the github hosting plattform. Multiple users can
create
multiple repositories and share code with others with the git version
control
system. Repositories can be marked as public or private to prevent
access from
 unauthorized users.

Gogs provides two api views to transform markdown into HTML at the urls
/api/v1/markdown and /api/v1/markdown/raw

The transformation is vulnerable to XSS.


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


CVSS Base Score
===============
4.3 (AV:N / AC:M / Au:N / C:P / I:N / A:N)


CVE-ID
======
CVE-2014-8683


Impact
======
The vulnerability could be used together with social engineering attacks
to gain
access to restricted resources by extracting authentication tokens from
cookies
or by executing commands in the context of the logged in victim.


Status
======
Not fixed


Vulnerable Code Section
=======================
models/issue.go:
[...]
func RenderMarkdown(rawBytes []byte, urlPrefix string) []byte {
    body := RenderSpecialLink(rawBytes, urlPrefix)
    body = RenderRawMarkdown(body, urlPrefix)
    return body
}

func RenderMarkdownString(raw, urlPrefix string) string {
    return string(RenderMarkdown([]byte(raw), urlPrefix))
}
[...]


Proof of Concept
================
Form to trigger XSS:
<form action="http://example.com/api/v1/markdown" method="post">
<input name="text" value="<img
onerror="alert("XSS")
" src="x">">
<input type="submit">
</form>

Response:
<p><img onerror="alert("XSS")" src="x"></p>


Solution
========
The markdown processing should reject or filter any HTML input and
process only
markdown content.


Affected Versions
=================
>= v0.3.1-9-g49dc57e


Timeline
========
2014-09-25: Developer informed
2014-10-16: Contact of developer regarding fix
2014-10-25: Working together with developer on fix
2014-11-03: Contacted developer
2014-11-14: CVE-ID assigned


Credits
=======
Pascal Turbing <pturbing@ernw.de>
Jiahua (Joe) Chen <u@gogs.io>


References
==========
[1] https://github.com/gogits/gogs
[2] http://gogs.io/
[3] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
[4] https://www.ernw.de/download/BC-1404.txt


Advisory-ID
===========
BC-1404


Disclaimer
==========
The information herein contained may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO
warranties, implied or otherwise, with regard to this information or its
use.
Any use of this information is at the user's risk. In no event shall the
author/
distributor be held liable for any damages whatsoever arising out of or in
connection with the use or spread of this information.

- -- 
Timo Schmid

ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg  -  www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 151 16227192
PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

==============================================================
|| Blog: www.insinuator.net | | Conference: www.troopers.de ||
==============================================================
==================   TROOPERS15   ==================
*   International IT Security Conference & Workshops
*   16th - 20st March 2015 / Heidelberg, Germany
*   www.troopers.de
====================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAwAGBQJUZlGDAAoJEHq2kn1vJmzgr28H/20Yb2h9Wj7eUD7/L8jggNVz
QISEQYsS6tuUGM59fYNRj7qGa/PnX5biaW3qD2Zy3erS+CfO4pFOGMZcjFSyNrL5
sFZmVAYftGnPLYTFh2Wt4iV3Yx3CgPzdlYZFSqXDynw5xWokSTqnlquwiUrIG1JW
45CYitwsTd9KzaoCMzeQeiPbSbjrZ+kQyM6+iMuBTqyfpbIf1A4kpJi0sULEU/a2
fMPUmlFoFBSlIfxUXKY8sRcritZHI9GiMnVOGsHxtW3RSszP3MfNDu0uJ4AaAHRF
3J1AH2DCuKrig9rMxUWzI3RrogOc5HrQYIIhM2gv8E7W2xkP4Ypozxwaw7JwBS4=
=uWDU
-----END PGP SIGNATURE-----




Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close