topic Re: XSS in suggestion box in Nuxeo Forum

XSS in suggestion box

Paco_Alías — Mon, 18 Jan 2016 15:45:57 GMT

Hi everybody

recently we have found that when creating a user, Nuxeo allows you to set some fields like firstName or lastName with HTML code. See examples below:

curl -X POST -H "Content-Type: application/json" -u Administrator:Administrator -d '{ "entity-type": "user", "id":"xssuser", "properties":{"username":"xssuser", "email":"xss@athento.com", "lastName":"XSS attack!", "firstName":"<script>alert(\"You have been hacked!\");</script>", "password":"xsspasswd" } }' http://localhost:8080/nuxeo/api/v1/user

will result in the following situation

It is also possible to include the same fields in the creation-user form vía UI.

When you try to search the user using the suggestion box (on the top-right corner of the page) you'll get the following message:

If you load the default search page and your compromising documents (users in this case) is included in the results page, the script code is also executed.

The same happens when you change dc:title field or any field listed in the search layout.

¿Is it any bugfix around this?

Thanks,

Re: XSS in suggestion box

Florent_Guillau — Tue, 19 Jan 2016 11:27:59 GMT

Hi Paco. Thanks for the report, we'll investigate ASAP. On what version of Nuxeo did you test?

Re: XSS in suggestion box

Paco_Alías — Tue, 19 Jan 2016 11:30:50 GMT

6.0 is in the tags

Re: XSS in suggestion box

Florent_Guillau — Tue, 19 Jan 2016 18:22:29 GMT

Hi,

The problem with the results in the top-right search box for a compromised user name (or document title in some situations) is fixed for the next releases and hotfixes (6.0-HF26, 7.10-HF04, 8.1). Our internal reference for this is NXP-18833 (the ticket is not yet public).

I couldn't reproduce any issue with the display of a compromised document title in search results. Could you expand on the exact issue? Note that previous XSS issues have been fixed, notably for Nuxeo 6.0-HF20, so you should make sure you test on the latest hotfix release.

Re: XSS in suggestion box

Paco_Alías — Wed, 20 Jan 2016 10:53:10 GMT

First of all, very thankful for your quick response. We will apply the hotfixes and let you know the results.

Re: XSS in suggestion box

Paco_Alías — Wed, 20 Jan 2016 10:54:07 GMT

Here are the screenshots with the documents issue 6.0-HF01

Re: XSS in suggestion box

Paco_Alías — Wed, 20 Jan 2016 10:54:36 GMT

Here are the screenshots with the documents issue 6.0-HF01

Re: XSS in suggestion box

Florent_Guillau — Wed, 20 Jan 2016 13:29:53 GMT

I couldn't reproduce this with the latest hotfix 6.0-HF25.

Re: XSS in suggestion box

Paco_Alías — Wed, 20 Jan 2016 15:42:32 GMT

I will test as soon as I have the oportunity. Thanks.

Re: XSS in suggestion box

Paco_Alías — Tue, 02 Feb 2016 18:52:03 GMT

Just a quick update. We've tested the same scenario with HF25 and got the same result. Users can be created with

<script>alert('hacked!');</script>

as first or last name.

Re: XSS in suggestion box

Florent_Guillau — Wed, 03 Feb 2016 22:28:31 GMT

Yes as I mentioned above it's fixed for the upcoming Nuxeo 6.0-HF26.