Headline
CVE-2023-24720: ReadiumJS Cloud Reader — Everybody Gets an XSS!
An arbitrary file upload vulnerability in readium-js v0.32.0 allows attackers to execute arbitrary code via uploading a crafted EPUB file.
Finding these bugs required a deep dive into the targets and their underlying technologies. This meant that, among other things, I learnt about the existence of the
EPUB format
and the world of EPUB cloud readers.
This led me to discover a (surprisingly, somewhat known) XSS vulnerability in the
Readium
cloud reader that affects many university websites and online libraries.
I have attempted to get in touch with the maintainers to remediate the issue, but have not yet received any response. Going by the conventional 90-day disclosure timeline, I am now sharing details on this vulnerability.
**
What is an EPUB? What is a Readium?
**
The EPUB format is an XML-based ebook format created by the
International Digital Publishing Forum (IDPF)
. It is one of the major ebook formats around today. Unlike other proprietary formats such as Amazon’s Kindle KF8, the EPUB format is vendor-independent.
The
Readium
project was started by IDPF, and is one of the cited EPUB readers on the
W3 website
.
To see it in action, we can visit the Readium cloud reader
demo
. We can quickly see that the cloud reader renders iframes containing pages of the ebook.
Each page is fetched from the location indicated in data-src and converted into the final rendered HTML. The pages are XHTML files and are called EPUB
content documents
. For example, page 1 of La Page Blanche contains the following content.
<?xml version="1.0" encoding="UTF-8"?>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:epub="http://www.idpf.org/2007/ops">
<meta name="viewport" content="width=1200, height=1577" />
<title>La Page Blanche</title>
<link href="…/Style/style.css" type="text/css" rel="stylesheet" />
<div class="page" epub:type="frontmatter titlepage"><img
src="…/Image/PageBlanche_Page_001.jpg" alt="page 1" /></div>
First of all, we could see that the iframe does not have the sandbox attribute present. This means that any scripts firing within the iframe would execute on the same origin as its src.
Readium will create a Blob containing the page data and create a new blob: URL for it (
source
). This is the URL that the frame src is set to (
source
).
// prefer BlobBuilder as some browser supports Blob constructor but fails using it
if (window.BlobBuilder) {
var builder = new BlobBuilder();
builder.append(contentDocumentData);
blob = builder.getBlob(contentType);
blob = new Blob([contentDocumentData], {’type’: contentType});
documentDataUri = window.URL.createObjectURL(blob);
iframe.setAttribute("src", documentDataUri);
Unfortunately, this means that the iframe’s origin will always be that of the parent page.
Suppose we are able to upload an ebook to an online library using Readium. We might upload a malicious EPUB that runs some evil JavaScript. Any user that opens our ebook would then have their account compromised.
To create such an EPUB, I copied an example EPUB from the Readium demo and changed the home page. An example PoC can be found
here
.
Note that we are using x:script to make the payload work with XHTML parsers.
<x:script xmlns:x="http://www.w3.org/1999/xhtml">alert(document.domain)</x:script>
The above scenario requires us to have privileges on the target site to upload arbitrary EPUBs and serve them to other users. It turns out, however, that the cloud reader is able to load remote EPUBs as well.
The cloud reader uses
medialize/URI.js
to normalize the epub query parameter, which is a relative URL (
source
).
ebookURL = new URI(ebookURL).absoluteTo(thisRootUrl).toString();
However, when ebookURL is an absolute URL, absoluteTo retains the original base URL.
This means that by simply passing our hosted exploit URL to the epub query parameter, we have a reflected XSS! This does not require us to have any permissions on the target site.
Using the example PoC on the Readium demo should pop an alert:
https://readium.firebaseapp.com/?epub=https://zeyu2001.github.io/readium-xss/
The Readium cloud reader is a rather old project. While more recent and popular cloud readers have been developed, some sites still use the Readium cloud reader, including the IDPF’s own website and several university sites.
I have made best effort attempts at identifying these sites (e.g. through Google dorking) and reaching out to the responsible teams to remediate this vulnerability before the release of this post.
Interestingly, after doing some digging, I found that this was somewhat of a known issue.
This
documentation explains the issue.
One should note that if a cloud reader aims to support JavaScript, all publications will at least share the same database, which means it is possible for an author to access data that originated in a different publication.
However, it leaves only the following suggestions to mitigate the vulnerability.
Currently, the only options to protect against attacks (see “Security Concerns” section) are:
- the Content Security Policy;
These suggestions are not implemented in the default installation of
readium-js-viewer
.
Since this is quite an old project, the best remediation might be to move to a more modern cloud reader. If Readium needs to be used, the iframes on the page should have the sandbox attribute set.
Additionally, the page’s Content Security Policy can be used to restrict where scripts can be loaded from.
11 October 2022: Contacted maintainers through OSS platform
huntr.dev
- 16 December 2022: Contacted maintainers through GitHub issue
- 27 January 2022: This blog post is released