8000 Stored-XSS vulnerability lead to remote code execution · Issue #5397 · gogs/gogs · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

Stored-XSS vulnerability lead to remote code execution #5397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 of 3 tasks
math1as opened this issue Sep 3, 2018 · 1 comment · Fixed by #6008
Closed
1 of 3 tasks

Stored-XSS vulnerability lead to remote code execution #5397

math1as opened this issue Sep 3, 2018 · 1 comment · Fixed by #6008
Labels
💊 bug Something isn't working 🔒 security Categorizes as related to security
Milestone
0.12

Comments

@math1as
Copy link
math1as commented Sep 3, 2018
edited
Loading
  • Gogs version (or commit ref): <= 0.11.53.0603
  • Can you reproduce the bug at https://try.gogs.io:
    • Yes (provide example URL)
    • No
    • Not relevant
  • Log gist (usually found in log/gogs.log):

Description

there is no x-content-type-options:nosniff header when viewing raw file.
caused mime type sniffing in some browsers , finally it turns into a stored-xss vulnerability.
although there is http-only flag in cookie , attacker could still get CSRF token , and edit the pre-receive script to carry out remote code execution attack.
I could perform this attack in IE11/10 and other browsers using IE core.

POC

TESTEML
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

=3Ciframe=20src=3D=27https://try.gogs.io/mathiaswu/33323/raw/master/1221.html=27=3E=3C=2Fiframe=3E

save it to .eml file , and open it in IE11

xss-gogs

Patch

add x-content-type-options:nosniff header to prevent browser from mime type sniffing , just as github / gitlab would do.

Discoverer

Wenxu Wu of Tencent's Xuanwu Lab
@math1as math1as changed the title Stored-XSS vulnerability in viewing raw file. Stored-XSS vulnerability lead to remote code execution Sep 3, 2018
@unknwon unknwon added 💊 bug Something isn't working 🔒 security Categorizes as related to security labels Sep 14, 2018
@NicoleG25
Copy link

Was this issue ever addressed? please note that CVE-2018-17031 was assigned
@unknwon

7C21
@unknwon unknwon added this to the 0.12 milestone Jan 21, 2020
@unknwon unknwon modified the milestones: 0.12, 0.13 Jan 28, 2020
@unknwon unknwon mentioned this issue Mar 23, 2020
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 19, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
💊 bug Something isn't working 🔒 security Categorizes as related to security
Projects
None yet
Milestone
0.12
Development

Successfully merging a pull request may close this issue.

http: always set header X-Content-Type-Options to nosniff gogs/gogs
3 participants
@unknwon @math1as @NicoleG25
0