-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Title
=====

SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer

Status
======

PUBLISHED

Version
=======

1.0

CVE reference
=============

CVE-2023-33255

Link
====

https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt

Further SCHUTZWERK advisories:
https://www.schutzwerk.com/blog/tags/advisories/


Affected products/vendor
========================

Papaya, Research Imaging Institute - University of Texas Health Science 
Center

Summary
=======

User supplied input in the form of DICOM or NIFTI images can be loaded 
into the
Papaya web application without any kind of sanitization. This allows to 
inject
arbitrary JavaScript code into the image's metadata which will in 
consequence be
executed as soon as the metadata is displayed in the Papaya web application.

Risk
====

The vulnerability allows an attacker to inject arbitrary JavaScript code 
into
the Papaya web application. A risk calculation highly depends on how the 
Papaya
software is used as a library in the context of a bigger medical web
application. During the discovery of this vulnerability, the web application
which used Papaya allowed to upload and store corresponding images on 
the web
server and display them to multiple users. It was therefore possible to 
store
JavaScript code on the server and attack users to impersonate or steal their
session, leading to a disclosure of sensitive medical data.

Description
===========

A medical web application assessed for security vulnerabilities by 
SCHUTZWERK
was found to contain a stored cross-site-scripting vulnerability. The
application uses the Papaya JavaScript software[0] published by the Research
Imaging Institute belonging to the University of Texas Health Science 
Center[1].

The software is described as "[..] a pure JavaScript medical research image
viewer, supporting DICOM and NIFTI formats, compatible across a range of web
browsers [..]". It can be used stand-alone or integrated into larger medical
applications, has 192 forks and 488 stars on GitHub and was used in at 
least 50
published academic research papers[2].

One of the main features is to open medical images of multiple formats, 
which
can be achieved via the context menu "File - Add image...". Papaya then 
displays
the image and adds a new icon in the upper right corner of the viewer. 
This icon
allows to open another context menu to edit the previous opened image as 
a layer
in multiple ways. The option of interest for the cross-site-scripting
vulnerability is the "Show Header" entry, which allows getting further
information about the medical image.

An example DICOM[3] zip archive was downloaded[4], extracted and opened in
Papaya. The "Show Header" function shows multiple entries including private
patient data fields like patient ID, name, date of birth and gender.

The DICOM ToolKit (DCMTK)[5] offers multiple tools to analyze, create 
and edit
DICOM images. The metadata field "Manufacturer" of the previously downloaded
DICOM image was edited with help of the DCMTK tool dcmodify:

DICTPATH=/tmp/share/dcmtk/dicom.dic dcmodify -m
"Manufacturer=<script>alert(1)</script>" 2_skull_ct/DICOM/I0

The DCMTK tool dcmdump can be used to verify the manipulated metadata entry:

dcmdump 2_skull_ct/DICOM/I0

[..]
# Dicom-Data-Set
[..] (0008,0070) LO [<script>alert(1)</script>]              #  26, 1 
Unknown
Tag & Data [..]

Viewing the header information of the manipulated DICOM image in Papaya 
executes
the injected JavaScript code in the web browser.

SCHUTZWERK decided to publish the still existing vulnerability (commit 
4a42701),
since the vendor did not implement any remediation several months after new
contributors have been introduced to the project.


Solution/Mitigation
===================

Several mitigation recommendations have been sent to the vendor. These 
include
common mitigation strategies from OWASP[6], like escaping user 
controlled input
and the usage of popular JavaScript libraries like DomPurify[7].

As a quick workaround, the context menu, which allows showing header 
information
can be disabled by setting the variable kioskMode to true.


Disclosure timeline
===================


2020-08-20: Vulnerability discovered 2020-08-20: Vulnerability reported to
             vendor
2020-09-30: Contacted vendor again
2020-09-30: Vendor responds and asks for mitigation ideas
2020-10-01: Response to vendor with detailed information and mitigation 
ideas
2020-11-09: Contacted vendor again for any status updates
2022-08-30: Retest of the customer application including the Papaya web
             application
2022-09-21: Notified vendor of intention to publish advisory
2022-10-18: Vendor notified SCHUTZWERK of new contributors who will 
maintain the
             project
2023-04-19: Informed vendor about publication deadline on May 15, 2023
2023-05-08: Vendor replied with intention to fix vulnerability until May 
15,2023
2023-05-15: Vulnerability fixed by vendor
2023-05-26: Advisory published by SCHUTZWERK

Contact/Credits
===============

The vulnerability was discovered during an assessment by Lennert Preuth of
SCHUTZWERK GmbH.


References
==========

[0] https://github.com/rii-mango/Papaya
[1] https://rii.uthscsa.edu/
[2] http://mangoviewer.com/pubs.html
[3] https://en.wikipedia.org/wiki/DICOM
[4] https://medimodel.com/sample-dicom-files/human_skull_2_dicom_file/
[5] https://dicom.offis.de/dcmtk.php.de
[6] https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_
     Prevention_Cheat_Sheet.html
[7] https://github.com/cure53/DOMPurify


Disclaimer
==========

The information in this security advisory is provided "as is" and without
warranty of any kind. Details of this security advisory may be updated 
in order
to provide as accurate information as possible. The most recent version 
of this
security advisory can be found at SCHUTZWERK GmbH's website.
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmRwkEgaHGFkdmlzb3Jp
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvCEA//YsP7ZUvk9VLzp49DtsMP
HQF0ojoBmNZOi5fymVDRGScmMT5VLOsdp9EUEywPYxmxo1rPc4vv6gM3hQsQ7TRO
oAb9ZeZjvYy2Nyz6cy3wX4H2naFOHEr085Uwpg9pX5DAHkQVsseTi/n04u5PT5xP
Fnuozie/KOG4pmkkKFHmG6aWgUSXWZuq8japOghl6g35BmG7ntXG2OYsb7f5ITYw
ksRbJt+8wetrBsa/pR6ZfEkoEpyuFZg85EDpDRoBPVlGZtuSF6dh+WfO+9VQBjLE
dZwPRaXefHp/v89rEfWvkX3JGmGWh6P8KQ+puF3GHLcBa8iDIbW/HPfQHGuGhfIa
upZ1E+HtgpxInxelM/BcFKXSjD4AMnAULa2C6nWsdmw8GIKHHus+WQuK1z40R7N4
Vji59buH9SBWAWb7MuyRrdxoZSmAuxcR7lXVzHMxSOZm0W7J0d9luLL8XUn4kj8+
tRE24TgbdGyAYr/V6BO9RiYCtyWPji5VBtwFZLFlvKRo81zyS9nve651nWS7Fv/l
OGns4fGbEZ+sm/YuFdfyzg8TMJ0pqV0AswCnx9mSqWn3RRBHg55pE4i6IyUdofu/
eiaTl33oyGolW7rQ5ATtmsOgKp5jKb7rt3WVSBLn1D9+JJ8MfbDrvyUoTkIZaqEp
4bKAQKWvxQG8GpbKuQT4on0=
=IEuk
-----END PGP SIGNATURE-----

-- 
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

advisories@schutzwerk.com / www.schutzwerk.com

Geschäftsführer / Managing Directors:
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391
Datenschutz / Data Protection www.schutzwerk.com/datenschutz