XSS on resource URLs
Passbolt API version 1.6.4 is vulnerable to a XSS in the url field on the password workspace grid and sidebar.
- CVE: CVE-2017-1000442.
- Product affected: Passbolt API, Passbolt Docker.
- Version affected: v1.6.4 and below.
- Version fixed: v1.6.5
- Affected component: Resource url
- Vulnerability Type: Cross Site Scripting (XSS)
Impact of issue
Attack vector / exploitation
This issue was found and reported by Sumit Sahoo.
How did this happen?
Initially, the passbolt resource url field implemented pretty strong validation rules allowing only certain url schemes such as http or https only. Naturally, with time, our early private alpha testers requested to allow other url schemes such as ftp or ssh, so more relaxed rules were introduced prior to the public launch. When the URL was later on made clickable the team missed the security implications of that decision.
Are there other XSS vulnerability present?
Passbolt is supposed to be fairly well protected from XSS triggered by users because we forbid the use of characters such as ‘<’ and ‘>’ in the form data input / api. However in this particular case this protection was not enough.
What are you doing about it?
With the upcoming version 2 we are in the process of relaxing user input even further, so to compensate for that extra risk we will review all our use of innerHTML function or similar (such as jQuery.html). We have already completed this review in the plugin with version 1.6.5. We are also looking into adding additional automated XSS tests as part of our continuous integration processes.
- 2017-09-13 22:30:00 CET: Passbolt team received a security vulnerability report from Sumit Sahoo.
- 2017-09-14 07:00:00 CET: early morning we acknowledge the issue, start working on a fix and start looking for similar issues in other part of the code.
- 2017-09-14 14:00:00 CET: We deploy a fix on the demo server
- 2017-09-14 14:00:00 CET: We notify the reporter that a fix has been deployed.
- 2017-09-14 14:30:00 CET: We publish the fix on github, the release notes and this report.
This article was last updated on September 14th, 2017.