Open-Xchange: XSS - Guard - Insufficient escaping of User-IDs from PGP Keys

2020-02-04T08:28:47
ID H1:788691
Type hackerone
Reporter zhutyra
Modified 2020-06-17T15:47:43

Description

Vulnerability

PGP user IDs are typically in form of name <address> and OX Guard properly escapes angle brackets when inserting them to HTML.

But in the code for displaying a list of keys it inserts IDs into HTML attributes without escaping double quote characters. ```javascript // guard/oxguard-ui/apps/oxguard/pgp/keyDetails.js

function getTable(keyRings, tableId, autoCrypt) { ... var email = getUserIds(keyRings[i].publicRing); email = email.replace(/>/gi, '>').replace(/</gi, '<'); var td1 = $('<td class="oxguard_pubkeylist emailKey" title="' + email + '">'); ... var td2 = $('<td class="oxguard_pubkeylist" title="' + email + ' ' + keyRings[i].ids + '">'); ```

So with double quotes it is possible to inject additional HTML attributes to generated HTML. |----------- user id ------------| &lt;td ... title="foo" onevent="javascript" bar="baz"&gt; |---- injected ----|

Triggers

The vulnerable code is triggered in Settings when displaying list of all keys, or in Address Book when displaying list of keys of individual contacts. Maybe also at other locations that I had not noticed.

Attack vectors

  • Malicious key can be send by email as an attachment or in Autocrypt header. The victim will then be offered an option to import this key. For Autocrypt keys there is also an option to Import autocrypt keys without asking in the settings, in which case it will be imported automatically.
  • Or another user from public/shared address book can import such a key as his key which will be visible to other users too.
  • Guard can also be configured to find PGP keys on external key servers, but I haven't tested it.

Example key

Attached is example key {F705451} which expands affected td element to full screen and displays JavaScript alert on mouse move over it.

html foo" onmousemove="alert&#40;'XSS'&#41;" style="background-color:red;opacity:0.2; position:fixed;top:0;height:100%;left:-4000px;width:8000px;max-width:8000px;" data-rest="bar

Steps to reproduce

  • Create/send an email with my example key as an attachment
  • View the email and click on PGP Public Key Found. Click to Import.
  • Go to Settings / Security / Guard / Advanced / Show advanced settings / Keys / Public keys of recipients
  • Screen should get overlayed with slightly transparent red layer and XSS pop up on mouse move

Impact

An attacker can execute arbitrary JavaScript in victim's browser and take over his session/data.