usd-2023-0001 | Friendica 2022.12 - Cross-Site Scripting (XSS)

Advisory ID: usd-2023-0001
Product: Friendica
Affected Version: 2022.12
Vulnerability Type: Cross-Site Scripting (CWE-79)
Security Risk: High
Vendor URL: https://friendi.ca/
Vendor acknowledged vulnerability: Yes
Vendor Status: Fixed

Description

The open source application Friendica is used to set up a decentralized social network. The focus lies on effective privacy settings and interoperability with third-party services. A reflected XSS vulnerability was found in the 404 Not Found error page of Friendica 2022.12.

Proof of Concept

The following request injects JavaScript code into the 404 error page.

GET /communityjh99m%22%3e%3cimg%20src%3da%20onerror%3dalert(document.domain)%3eov1pz/local?accounttype=organisation HTTP/1.1
Host: localhost
[...]

The following screenshot shows, that the JavaScript code is executed in the context of the application:

Fix

It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context. The majority of programming languages support standard procedures for encoding meta characters.

References

Timeline

2023-01-05: Vulnerability identified by Christian Pöschl
2023-01-09: First contact request made to the vendor
2023-01-15: Hotfix released by vendor (Friendica 2023.01)

Credits

This security vulnerability was identified by Christian Pöschl of usd AG.

usd-2023-0001 | Friendica 2022.12 - Cross-Site Scripting (XSS)

Description

Proof of Concept

Fix

References

Timeline

Credits

About usd Security Advisories

Disclaimer

usd HeroLab

LabNews

Security Advisories zu SONIX und SAP

The Surprising Complexity of Finding Known Vulnerabilities

Security Advisories zu Zimperium und FileCloud

Folgen Sie uns