Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormTimo SchmidPACKETSTORM:129118
HistoryNov 14, 2014 - 12:00 a.m.

Gogs Markdown Renderer Cross Site Scripting

2014-11-1400:00:00
Timo Schmid
packetstormsecurity.com
54

0.005 Low

EPSS

Percentile

72.7%

JSON
`  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: RIPEMD160  
  
XSS in Gogs Markdown Renderer  
=============================  
Researcher: Timo Schmid <[email protected]>  
  
  
Description  
===========  
Gogs(Go Git Service) is a painless self-hosted Git Service written in  
Go. (taken  
from [1])  
  
It is very similiar to the github hosting plattform. Multiple users can  
create  
multiple repositories and share code with others with the git version  
control  
system. Repositories can be marked as public or private to prevent  
access from  
unauthorized users.  
  
Gogs provides two api views to transform markdown into HTML at the urls  
/api/v1/markdown and /api/v1/markdown/raw  
  
The transformation is vulnerable to XSS.  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
Medium  
  
  
CVSS Base Score  
===============  
4.3 (AV:N / AC:M / Au:N / C:P / I:N / A:N)  
  
  
CVE-ID  
======  
CVE-2014-8683  
  
  
Impact  
======  
The vulnerability could be used together with social engineering attacks  
to gain  
access to restricted resources by extracting authentication tokens from  
cookies  
or by executing commands in the context of the logged in victim.  
  
  
Status  
======  
Not fixed  
  
  
Vulnerable Code Section  
=======================  
models/issue.go:  
[...]  
func RenderMarkdown(rawBytes []byte, urlPrefix string) []byte {  
body := RenderSpecialLink(rawBytes, urlPrefix)  
body = RenderRawMarkdown(body, urlPrefix)  
return body  
}  
  
func RenderMarkdownString(raw, urlPrefix string) string {  
return string(RenderMarkdown([]byte(raw), urlPrefix))  
}  
[...]  
  
  
Proof of Concept  
================  
Form to trigger XSS:  
<form action="http://example.com/api/v1/markdown" method="post">  
<input name="text" value="<img  
onerror="alert("XSS")  
" src="x">">  
<input type="submit">  
</form>  
  
Response:  
<p><img onerror="alert("XSS")" src="x"></p>  
  
  
Solution  
========  
The markdown processing should reject or filter any HTML input and  
process only  
markdown content.  
  
  
Affected Versions  
=================  
>= v0.3.1-9-g49dc57e  
  
  
Timeline  
========  
2014-09-25: Developer informed  
2014-10-16: Contact of developer regarding fix  
2014-10-25: Working together with developer on fix  
2014-11-03: Contacted developer  
2014-11-14: CVE-ID assigned  
  
  
Credits  
=======  
Pascal Turbing <[email protected]>  
Jiahua (Joe) Chen <[email protected]>  
  
  
References  
==========  
[1] https://github.com/gogits/gogs  
[2] http://gogs.io/  
[3] https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)  
[4] https://www.ernw.de/download/BC-1404.txt  
  
  
Advisory-ID  
===========  
BC-1404  
  
  
Disclaimer  
==========  
The information herein contained may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There  
are NO  
warranties, implied or otherwise, with regard to this information or its  
use.  
Any use of this information is at the user's risk. In no event shall the  
author/  
distributor be held liable for any damages whatsoever arising out of or in  
connection with the use or spread of this information.  
  
- --   
Timo Schmid  
  
ERNW GmbH, Carl-Bosch-Str. 4, 69115 Heidelberg - www.ernw.de  
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 151 16227192  
PGP-FP 971B D4F7 5DD1 FCED 11FC 2C61 7AB6 927D 6F26 6CE0  
  
Handelsregister Mannheim: HRB 337135  
Geschaeftsfuehrer: Enno Rey  
  
==============================================================  
|| Blog: www.insinuator.net | | Conference: www.troopers.de ||  
==============================================================  
================== TROOPERS15 ==================  
* International IT Security Conference & Workshops  
* 16th - 20st March 2015 / Heidelberg, Germany  
* www.troopers.de  
====================================================  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v2  
  
iQEcBAEBAwAGBQJUZlGDAAoJEHq2kn1vJmzgr28H/20Yb2h9Wj7eUD7/L8jggNVz  
QISEQYsS6tuUGM59fYNRj7qGa/PnX5biaW3qD2Zy3erS+CfO4pFOGMZcjFSyNrL5  
sFZmVAYftGnPLYTFh2Wt4iV3Yx3CgPzdlYZFSqXDynw5xWokSTqnlquwiUrIG1JW  
45CYitwsTd9KzaoCMzeQeiPbSbjrZ+kQyM6+iMuBTqyfpbIf1A4kpJi0sULEU/a2  
fMPUmlFoFBSlIfxUXKY8sRcritZHI9GiMnVOGsHxtW3RSszP3MfNDu0uJ4AaAHRF  
3J1AH2DCuKrig9rMxUWzI3RrogOc5HrQYIIhM2gv8E7W2xkP4Ypozxwaw7JwBS4=  
=uWDU  
-----END PGP SIGNATURE-----  
  
  
  
  
`

Related

veracode 1
gitlab 1
osv 1
securityvulns 2
zdt 1
prion 1
github 1
cve 1
openvas 1
veracode
veracode
Cross-site Scripting (XSS)
2017-04-28 07:24:32
gitlab
gitlab
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
2021-06-29 00:00:00
osv
osv
Cross-site Scripting in Gogs
2021-06-29 18:32:53
securityvulns
securityvulns
CVE-2014-8683 XSS in Gogs Markdown Renderer
2014-12-01 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2014-12-01 00:00:00
zdt
zdt
Gogs Markdown Renderer Cross Site Scripting Vulnerability
2014-11-16 00:00:00
prion
prion
Cross site scripting
2014-11-21 15:59:00
github
github
Cross-site Scripting in Gogs
2021-06-29 18:32:53
cve
cve
CVE-2014-8683
2014-11-21 15:59:00
openvas
openvas
Gogs >= 0.3.1, < 0.5.8 Multiple Vulnerabilities
2015-02-06 00:00:00

0.005 Low

EPSS

Percentile

72.7%

JSON
Related for PACKETSTORM:129118
veracode1gitlab1osv1securityvulns2zdt1prion1github1cve1openvas1