usd-2023-0001 | Friendica 2022.12 - Cross-Site Scripting (XSS)

Advisory ID: usd-2023-0001
Product: Friendica
Affected Version: 2022.12
Vulnerability Type: Cross-Site Scripting (CWE-79)
Security Risk: High
Vendor URL: https://friendi.ca/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed

Description

The open source application Friendica is used to set up a decentralized social network. The focus lies on effective privacy settings and interoperability with third-party services. A reflected XSS vulnerability was found in the 404 Not Found error page of Friendica 2022.12.

Proof of Concept

The following request injects JavaScript code into the 404 error page.

GET /communityjh99m%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3eov1pz/local?accounttype=organisation HTTP/1.1
Host: localhost
[...]

The following screenshot shows, that the JavaScript code is executed in the context of the application:

Fix

It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages support standard procedures for encoding meta characters.

References

• https://owasp.org/www-community/attacks/xss/
• https://friendi.ca/2023/01/15/friendica-2023-01-released/

Timeline

• 2023-01-05: Vulnerability identified by Christian Pöschl
• 2023-01-09: First contact request made to the vendor
• 2023-01-15: Hotfix released by vendor (Friendica 2023.01)

Credits

This security vulnerability was identified by Christian Pöschl of usd AG.