Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

XSS in suggestion box

Go to answer
Paco_Alías
Confirmed Champ
Confirmed Champ

‎01-18-2016 10:45 AM

Hi everybody

recently we have found that when creating a user, Nuxeo allows you to set some fields like firstName or lastName with HTML code. See examples below:

curl -X POST -H "Content-Type: application/json" -u Administrator:Administrator -d '{ "entity-type": "user", "id":"xssuser", "properties":{"username":"xssuser", "email":"xss@athento.com", "lastName":"XSS attack!", "firstName":"<script>alert(\"You have been hacked!\");</script>", "password":"xsspasswd" } }' http://localhost:8080/nuxeo/api/v1/user

will result in the following situation type an image title

It is also possible to include the same fields in the creation-user form vía UI.

When you try to search the user using the suggestion box (on the top-right corner of the page) you'll get the following message:

type an image title

If you load the default search page and your compromising documents (users in this case) is included in the results page, the script code is also executed.

type an image title

The same happens when you change dc:title field or any field listed in the search layout.

¿Is it any bugfix around this?

Thanks,

Preview file
49 KB
Preview file
40 KB
Preview file
53 KB
1 ACCEPTED ANSWER

Go to answer
Florent_Guillau
World-Class Innovator
World-Class Innovator

‎01-19-2016 01:22 PM

Hi,

The problem with the results in the top-right search box for a compromised user name (or document title in some situations) is fixed for the next releases and hotfixes (6.0-HF26, 7.10-HF04, 8.1). Our internal reference for this is NXP-18833 (the ticket is not yet public).

I couldn't reproduce any issue with the display of a compromised document title in search results. Could you expand on the exact issue? Note that previous XSS issues have been fixed, notably for Nuxeo 6.0-HF20, so you should make sure you test on the latest hotfix release.

View answer in original post

10 REPLIES 10

Go to answer
Florent_Guillau
World-Class Innovator
World-Class Innovator

‎01-19-2016 06:27 AM

Hi Paco. Thanks for the report, we'll investigate ASAP. On what version of Nuxeo did you test?

0 Kudos

Go to answer
Paco_Alías
Confirmed Champ
Confirmed Champ

‎01-19-2016 06:30 AM

6.0 is in the tags

0 Kudos

Go to answer
Florent_Guillau
World-Class Innovator
World-Class Innovator

‎01-19-2016 01:22 PM

Hi,

The problem with the results in the top-right search box for a compromised user name (or document title in some situations) is fixed for the next releases and hotfixes (6.0-HF26, 7.10-HF04, 8.1). Our internal reference for this is NXP-18833 (the ticket is not yet public).

I couldn't reproduce any issue with the display of a compromised document title in search results. Could you expand on the exact issue? Note that previous XSS issues have been fixed, notably for Nuxeo 6.0-HF20, so you should make sure you test on the latest hotfix release.

Go to answer
Paco_Alías
Confirmed Champ
Confirmed Champ
In response to Florent_Guillau

‎01-20-2016 05:53 AM

First of all, very thankful for your quick response. We will apply the hotfixes and let you know the results.

0 Kudos

Go to answer
Paco_Alías
Confirmed Champ
Confirmed Champ

‎01-20-2016 05:54 AM

Here are the screenshots with the documents issue 6.0-HF01

Preview file
111 KB
Preview file
129 KB
Preview file
65 KB
0 Kudos

Go to answer
Florent_Guillau
World-Class Innovator
World-Class Innovator
In response to Paco_Alías

‎01-20-2016 08:29 AM

I couldn't reproduce this with the latest hotfix 6.0-HF25.

0 Kudos

Go to answer
Paco_Alías
Confirmed Champ
Confirmed Champ
In response to Paco_Alías

‎01-20-2016 10:42 AM

I will test as soon as I have the oportunity. Thanks.

0 Kudos

Go to answer
Paco_Alías
Confirmed Champ
Confirmed Champ

‎01-20-2016 05:54 AM

Here are the screenshots with the documents issue 6.0-HF01

0 Kudos

Go to answer
Paco_Alías
Confirmed Champ
Confirmed Champ

‎02-02-2016 01:52 PM

Just a quick update. We've tested the same scenario with HF25 and got the same result. Users can be created with

<script>alert('hacked!');</script>

as first or last name.

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC