OpenTrade Dom-Based XSS Disclosure
[Vulnerability Description] | |
OpenTrade through version 0.2.0 has a Dom-based XSS vulnerability that is executed when an administrator attempts to delete a message that contains Javascript. | |
[Application Description] | |
OpenTrade is an open source crypto currency exchange that can support over a dozen cryptocurrencies. Its live version can be found at https://trade.multicoins.org. | |
[Affected Versions] | |
The following commit introduced the vulnerability, but OpenTrade did not have a package.json with applicable versioning: https://github.com/3s3s/opentrade/commit/731459452c8e476cb30fcf84ef0d05d153aba0ed#diff-910e51c56f379da78d78892e221e692aR417 | |
Officially version 0.2.0 of OpenTrade is the only "vulnerable" version, as it is the first committed version number in package.json | |
[Overview] | |
When an administrator attempts to delete a chat message, a modal is opened asking the administrator to confirm the deletion. | |
This modal does not HTML or URL encode the message contents, allowing Javascript to be executed in the context of the administrator's browser if the message contained Javascript. | |
Affected line: https://github.com/3s3s/opentrade/blob/4f91391164219da30533453e1ff6800ef2ef3c6b/static_pages/js/index.js#L473 | |
Due to OpenTrade not setting the "token" (session) cookie with the "HTTPOnly" flag, this allows an attacker to steal administrator's sessions. | |
[Proof of Concept] | |
As a normal user: | |
*) Submit a chat message with Javascript contents, e.g. <script>alert()</script> (this will not execute in the chat box). | |
As an administrator: | |
*) Attempt to delete the message containing Javascript by clicking the X delete button to the right of the message. | |
*) Clicking this button will trigger the Javascript instantly, as the unencoded message has been loaded into a modal. | |
[Fix] | |
Apply encodeURI() to message output | |
https://github.com/3s3s/opentrade/pull/337 | |
[Other] | |
CVSS (proposed): 7.6 (High) - https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AC:L/AV:N/A:N/C:H/I:L/PR:L/S:C/UI:R | |
Vulnerability Type: Dom-Based Cross-Site Scripting (XSS) | |
Discoverer: Marshall Hallenbeck (@mjhallenbeck) | |
CVE: CVE-2020-6847 (https://github.com/CVEProject/cvelist/blob/master/2020/6xxx/CVE-2020-6847.json) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment