Papaya Medical Viewer 1.0 Cross Site Scripting

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512  
  
Title  
=====  
  
SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer  
  
Status  
======  
  
PUBLISHED  
  
Version  
=======  
  
1.0  
  
CVE reference  
=============  
  
CVE-2023-33255  
  
Link  
====  
  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001/  
  
Text-only version:  
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt  
  
Further SCHUTZWERK advisories:  
https://www.schutzwerk.com/blog/tags/advisories/  
  
  
Affected products/vendor  
========================  
  
Papaya, Research Imaging Institute - University of Texas Health Science   
Center  
  
Summary  
=======  
  
User supplied input in the form of DICOM or NIFTI images can be loaded   
into the  
Papaya web application without any kind of sanitization. This allows to   
inject  
arbitrary JavaScript code into the image's metadata which will in   
consequence be  
executed as soon as the metadata is displayed in the Papaya web application.  
  
Risk  
====  
  
The vulnerability allows an attacker to inject arbitrary JavaScript code   
into  
the Papaya web application. A risk calculation highly depends on how the   
Papaya  
software is used as a library in the context of a bigger medical web  
application. During the discovery of this vulnerability, the web application  
which used Papaya allowed to upload and store corresponding images on   
the web  
server and display them to multiple users. It was therefore possible to   
store  
JavaScript code on the server and attack users to impersonate or steal their  
session, leading to a disclosure of sensitive medical data.  
  
Description  
===========  
  
A medical web application assessed for security vulnerabilities by   
SCHUTZWERK  
was found to contain a stored cross-site-scripting vulnerability. The  
application uses the Papaya JavaScript software[0] published by the Research  
Imaging Institute belonging to the University of Texas Health Science   
Center[1].  
  
The software is described as "[..] a pure JavaScript medical research image  
viewer, supporting DICOM and NIFTI formats, compatible across a range of web  
browsers [..]". It can be used stand-alone or integrated into larger medical  
applications, has 192 forks and 488 stars on GitHub and was used in at   
least 50  
published academic research papers[2].  
  
One of the main features is to open medical images of multiple formats,   
which  
can be achieved via the context menu "File - Add image...". Papaya then   
displays  
the image and adds a new icon in the upper right corner of the viewer.   
This icon  
allows to open another context menu to edit the previous opened image as   
a layer  
in multiple ways. The option of interest for the cross-site-scripting  
vulnerability is the "Show Header" entry, which allows getting further  
information about the medical image.  
  
An example DICOM[3] zip archive was downloaded[4], extracted and opened in  
Papaya. The "Show Header" function shows multiple entries including private  
patient data fields like patient ID, name, date of birth and gender.  
  
The DICOM ToolKit (DCMTK)[5] offers multiple tools to analyze, create   
and edit  
DICOM images. The metadata field "Manufacturer" of the previously downloaded  
DICOM image was edited with help of the DCMTK tool dcmodify:  
  
DICTPATH=/tmp/share/dcmtk/dicom.dic dcmodify -m  
"Manufacturer=<script>alert(1)</script>" 2_skull_ct/DICOM/I0  
  
The DCMTK tool dcmdump can be used to verify the manipulated metadata entry:  
  
dcmdump 2_skull_ct/DICOM/I0  
  
[..]  
# Dicom-Data-Set  
[..] (0008,0070) LO [<script>alert(1)</script>] # 26, 1   
Unknown  
Tag & Data [..]  
  
Viewing the header information of the manipulated DICOM image in Papaya   
executes  
the injected JavaScript code in the web browser.  
  
SCHUTZWERK decided to publish the still existing vulnerability (commit   
4a42701),  
since the vendor did not implement any remediation several months after new  
contributors have been introduced to the project.  
  
  
Solution/Mitigation  
===================  
  
Several mitigation recommendations have been sent to the vendor. These   
include  
common mitigation strategies from OWASP[6], like escaping user   
controlled input  
and the usage of popular JavaScript libraries like DomPurify[7].  
  
As a quick workaround, the context menu, which allows showing header   
information  
can be disabled by setting the variable kioskMode to true.  
  
  
Disclosure timeline  
===================  
  
  
2020-08-20: Vulnerability discovered 2020-08-20: Vulnerability reported to  
vendor  
2020-09-30: Contacted vendor again  
2020-09-30: Vendor responds and asks for mitigation ideas  
2020-10-01: Response to vendor with detailed information and mitigation   
ideas  
2020-11-09: Contacted vendor again for any status updates  
2022-08-30: Retest of the customer application including the Papaya web  
application  
2022-09-21: Notified vendor of intention to publish advisory  
2022-10-18: Vendor notified SCHUTZWERK of new contributors who will   
maintain the  
project  
2023-04-19: Informed vendor about publication deadline on May 15, 2023  
2023-05-08: Vendor replied with intention to fix vulnerability until May   
15,2023  
2023-05-15: Vulnerability fixed by vendor  
2023-05-26: Advisory published by SCHUTZWERK  
  
Contact/Credits  
===============  
  
The vulnerability was discovered during an assessment by Lennert Preuth of  
SCHUTZWERK GmbH.  
  
  
References  
==========  
  
[0] https://github.com/rii-mango/Papaya  
[1] https://rii.uthscsa.edu/  
[2] http://mangoviewer.com/pubs.html  
[3] https://en.wikipedia.org/wiki/DICOM  
[4] https://medimodel.com/sample-dicom-files/human_skull_2_dicom_file/  
[5] https://dicom.offis.de/dcmtk.php.de  
[6] https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_  
Prevention_Cheat_Sheet.html  
[7] https://github.com/cure53/DOMPurify  
  
  
Disclaimer  
==========  
  
The information in this security advisory is provided "as is" and without  
warranty of any kind. Details of this security advisory may be updated   
in order  
to provide as accurate information as possible. The most recent version   
of this  
security advisory can be found at SCHUTZWERK GmbH's website.  
-----BEGIN PGP SIGNATURE-----  
  
iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmRwkEgaHGFkdmlzb3Jp  
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvCEA//YsP7ZUvk9VLzp49DtsMP  
HQF0ojoBmNZOi5fymVDRGScmMT5VLOsdp9EUEywPYxmxo1rPc4vv6gM3hQsQ7TRO  
oAb9ZeZjvYy2Nyz6cy3wX4H2naFOHEr085Uwpg9pX5DAHkQVsseTi/n04u5PT5xP  
Fnuozie/KOG4pmkkKFHmG6aWgUSXWZuq8japOghl6g35BmG7ntXG2OYsb7f5ITYw  
ksRbJt+8wetrBsa/pR6ZfEkoEpyuFZg85EDpDRoBPVlGZtuSF6dh+WfO+9VQBjLE  
dZwPRaXefHp/v89rEfWvkX3JGmGWh6P8KQ+puF3GHLcBa8iDIbW/HPfQHGuGhfIa  
upZ1E+HtgpxInxelM/BcFKXSjD4AMnAULa2C6nWsdmw8GIKHHus+WQuK1z40R7N4  
Vji59buH9SBWAWb7MuyRrdxoZSmAuxcR7lXVzHMxSOZm0W7J0d9luLL8XUn4kj8+  
tRE24TgbdGyAYr/V6BO9RiYCtyWPji5VBtwFZLFlvKRo81zyS9nve651nWS7Fv/l  
OGns4fGbEZ+sm/YuFdfyzg8TMJ0pqV0AswCnx9mSqWn3RRBHg55pE4i6IyUdofu/  
eiaTl33oyGolW7rQ5ATtmsOgKp5jKb7rt3WVSBLn1D9+JJ8MfbDrvyUoTkIZaqEp  
4bKAQKWvxQG8GpbKuQT4on0=  
=IEuk  
-----END PGP SIGNATURE-----  
  
--   
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany  
Zertifiziert / Certified ISO 27001, 9001 and TISAX  
  
Phone +49 731 977 191 0  
  
[email protected] / www.schutzwerk.com  
  
Geschäftsführer / Managing Directors:  
Jakob Pietzka, Michael Schäfer  
  
Amtsgericht Ulm / HRB 727391  
Datenschutz / Data Protection www.schutzwerk.com/datenschutz  
  
`