-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 XSS in Gogs Markdown Renderer ============================= Researcher: Timo Schmid Description =========== Gogs(Go Git Service) is a painless self-hosted Git Service written in Go. (taken from [1]) It is very similiar to the github hosting plattform. Multiple users can create multiple repositories and share code with others with the git version control system. Repositories can be marked as public or private to prevent access from unauthorized users. Gogs provides two api views to transform markdown into HTML at the urls /api/v1/markdown and /api/v1/markdown/raw The transformation is vulnerable to XSS. Exploitation Technique: ======================= Remote Severity Level: =============== Medium CVSS Base Score =============== 4.3 (AV:N / AC:M / Au:N / C:P / I:N / A:N) CVE-ID ====== CVE-2014-8683 Impact ====== The vulnerability could be used together with social engineering attacks to gain access to restricted resources by extracting authentication tokens from cookies or by executing commands in the context of the logged in victim. Status ====== Not fixed Vulnerable Code Section ======================= models/issue.go: [...] func RenderMarkdown(rawBytes []byte, urlPrefix string) []byte { body := RenderSpecialLink(rawBytes, urlPrefix) body = RenderRawMarkdown(body, urlPrefix) return body } func RenderMarkdownString(raw, urlPrefix string) string { return string(RenderMarkdown([]byte(raw), urlPrefix)) } [...] Proof of Concept ================ Form to trigger XSS:
Response:

Solution ======== The markdown processing should reject or filter any HTML input and process only markdown content. Affected Versions ================= >= v0.3.1-9-g49dc57e Timeline ======== 2014-09-25: Developer informed 2014-10-16: Contact of developer regarding fix 2014-10-25: Working together with developer on fix 2014-11-03: Contacted developer 2014-11-14: CVE-ID assigned Credits ======= Pascal Turbing Jiahua (Joe) Chen References ========== [1] https://github.com/gogits/gogs [2] http://gogs.io/ [3] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) [4] https://www.ernw.de/download/BC-1404.txt Advisory-ID =========== BC-1404 Disclaimer ========== The information herein contained may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/ distributor be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. - -- Timo Schmid ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 151 16227192 PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Enno Rey ============================================================== || Blog: www.insinuator.net | | Conference: www.troopers.de || ============================================================== ================== TROOPERS15 ================== * International IT Security Conference & Workshops * 16th - 20st March 2015 / Heidelberg, Germany * www.troopers.de ==================================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAwAGBQJUZlGDAAoJEHq2kn1vJmzgr28H/20Yb2h9Wj7eUD7/L8jggNVz QISEQYsS6tuUGM59fYNRj7qGa/PnX5biaW3qD2Zy3erS+CfO4pFOGMZcjFSyNrL5 sFZmVAYftGnPLYTFh2Wt4iV3Yx3CgPzdlYZFSqXDynw5xWokSTqnlquwiUrIG1JW 45CYitwsTd9KzaoCMzeQeiPbSbjrZ+kQyM6+iMuBTqyfpbIf1A4kpJi0sULEU/a2 fMPUmlFoFBSlIfxUXKY8sRcritZHI9GiMnVOGsHxtW3RSszP3MfNDu0uJ4AaAHRF 3J1AH2DCuKrig9rMxUWzI3RrogOc5HrQYIIhM2gv8E7W2xkP4Ypozxwaw7JwBS4= =uWDU -----END PGP SIGNATURE-----