usd-2022-0048 | Tracim 4.4.2 - Stored Cross-Site Scripting


Advisory ID: usd-2022-0048
Affected Product: Tracim
Affected Version: 4.4.2 (probably others too)
Vulnerability Type: Cross-Site Scripting (CWE-79)
Security Risk: High
Vendor URL: https://tracim.fr
Vendor Acknowledged Vulnerability: No
Vendor Status: Not fixed
CVE ID: CVE-2022-45144
CVE Link: https://nvd.nist.gov/vuln/detail/CVE-2022-45144

The following behavior was reported to Tracim in November 2022. After several contact attempts, the usd AG Responsible Disclosure Team did not receive any response. In order to inform the users of Tracim about the unresolved vulnerability, the advisory was published in accordance with our Responsible Disclosure Policy.

Description

Tracim is a collaborative platform software that allows teams to share and work on various types of data and documents. The application allows uploads of HTML files, which leads to a stored Cross-Site-Scripting attack.

Additionally to the stored XSS vulnerability, the impact can be increased by using a HTML injection in the comments feature. This endpoint usually blocks XSS attempts using a CSP, which can be bypassed. The tested version was Tracim 4.4.2.

Proof of Concept (PoC)

The application allows to upload HTML files, which can be viewed in "raw" using a link similar to the one below:

http://localhost:8080/api/workspaces/1/files/19/raw/test.html

This upload functionality makes the application vulnerable to a stored XSS, because the uploaded file is rendered in the context of the application.

Tracim implements the following CSP:

Content-Security-Policy: script-src 'unsafe-eval' 'nonce-67c3972badf9a5c68a68fb5b107ab5f0ce1c8d0b15e6b9342d68b53f56cd4238'; style-src 'unsafe-inline' 'self'; connect-src 'self'; font-src data: blob: *; img-src data: blob: *; media-src data: blob: *; frame-src * 'self'; object-src 'none'; default-src 'self'

To attack more users from inside the application one needs to bypass the CSP and embed the uploaded file in a commonly visited place. Tracim allows injection of HTML into a comment. The endpoint uses a CSP to block XSS attempts. However, the CSP can be bypassed using our uploaded HTML file as an iframe source.

POST /api/workspaces/1/contents/22/comments HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:103.0) Gecko/20100101 Firefox/103.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost:8080/ui/workspaces/1/publications
X-Tracim-ClientToken: ed6ba1bc-fae7-49cd-9490-8c38dd33ba13
Content-Type: application/json
Content-Length: 164
Origin: http://localhost:8080

[...]

{"raw_content":"<iframe src=\"http://localhost:8080/api/workspaces/1/files/19/raw/test.html\"></iframe>","content_namespace":"publication"}

Fix

It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages support standard procedures for encoding meta characters. Also it is recommended to restrict the allowed file types in the file upload function.

References

Timeline

  • 2022-11-10: This vulnerability was identified by Christian Pöschl.
  • 2022-11-10: Initial contact to vendor via e-mail.
  • 2022-12-16: Second attempt to contact vendor.
  • 2023-02-17: Third attempt to contact vendor.
  • 2023-04-24: Fourth attempt to contact vendor with notification about upcoming release plans for advisory.
  • 2023-05-15: Security advisory released by usd AG.

Credits

This security vulnerability was found by Christian Pöschl of usd AG.