-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Title

SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer

Status

PUBLISHED

Version

1.0

CVE reference

CVE-2023-33255

Link

https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001/

Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt

Further SCHUTZWERK advisories:
https://www.schutzwerk.com/blog/tags/advisories/

Affected products/vendor

Papaya, Research Imaging Institute - University of Texas Health Science
Center

Summary

User supplied input in the form of DICOM or NIFTI images can be loaded
into the
Papaya web application without any kind of sanitization. This allows to
inject
arbitrary JavaScript code into the image’s metadata which will in
consequence be
executed as soon as the metadata is displayed in the Papaya web application.

Risk

The vulnerability allows an attacker to inject arbitrary JavaScript code
into
the Papaya web application. A risk calculation highly depends on how the
Papaya
software is used as a library in the context of a bigger medical web
application. During the discovery of this vulnerability, the web application
which used Papaya allowed to upload and store corresponding images on
the web
server and display them to multiple users. It was therefore possible to
store
JavaScript code on the server and attack users to impersonate or steal their
session, leading to a disclosure of sensitive medical data.

Description

A medical web application assessed for security vulnerabilities by
SCHUTZWERK
was found to contain a stored cross-site-scripting vulnerability. The
application uses the Papaya JavaScript software[0] published by the Research
Imaging Institute belonging to the University of Texas Health Science
Center[1].

The software is described as "[…] a pure JavaScript medical research image
viewer, supporting DICOM and NIFTI formats, compatible across a range of web
browsers […]". It can be used stand-alone or integrated into larger medical
applications, has 192 forks and 488 stars on GitHub and was used in at
least 50
published academic research papers[2].

One of the main features is to open medical images of multiple formats,
which
can be achieved via the context menu "File - Add image…". Papaya then
displays
the image and adds a new icon in the upper right corner of the viewer.
This icon
allows to open another context menu to edit the previous opened image as
a layer
in multiple ways. The option of interest for the cross-site-scripting
vulnerability is the “Show Header” entry, which allows getting further
information about the medical image.

An example DICOM[3] zip archive was downloaded[4], extracted and opened in
Papaya. The “Show Header” function shows multiple entries including private
patient data fields like patient ID, name, date of birth and gender.

The DICOM ToolKit (DCMTK)[5] offers multiple tools to analyze, create
and edit
DICOM images. The metadata field “Manufacturer” of the previously downloaded
DICOM image was edited with help of the DCMTK tool dcmodify:

DICTPATH=/tmp/share/dcmtk/dicom.dic dcmodify -m
“Manufacturer=<script>alert(1)</script>” 2_skull_ct/DICOM/I0

The DCMTK tool dcmdump can be used to verify the manipulated metadata entry:

dcmdump 2_skull_ct/DICOM/I0

[…]

Dicom-Data-Set

[…] (0008,0070) LO [<script>alert(1)</script>] # 26, 1
Unknown
Tag & Data […]

Viewing the header information of the manipulated DICOM image in Papaya
executes
the injected JavaScript code in the web browser.

SCHUTZWERK decided to publish the still existing vulnerability (commit
4a42701),
since the vendor did not implement any remediation several months after new
contributors have been introduced to the project.

Solution/Mitigation

Several mitigation recommendations have been sent to the vendor. These
include
common mitigation strategies from OWASP[6], like escaping user
controlled input
and the usage of popular JavaScript libraries like DomPurify[7].

As a quick workaround, the context menu, which allows showing header
information
can be disabled by setting the variable kioskMode to true.

Disclosure timeline

2020-08-20: Vulnerability discovered 2020-08-20: Vulnerability reported to
vendor
2020-09-30: Contacted vendor again
2020-09-30: Vendor responds and asks for mitigation ideas
2020-10-01: Response to vendor with detailed information and mitigation
ideas
2020-11-09: Contacted vendor again for any status updates
2022-08-30: Retest of the customer application including the Papaya web
application
2022-09-21: Notified vendor of intention to publish advisory
2022-10-18: Vendor notified SCHUTZWERK of new contributors who will
maintain the
project
2023-04-19: Informed vendor about publication deadline on May 15, 2023
2023-05-08: Vendor replied with intention to fix vulnerability until May
15,2023
2023-05-15: Vulnerability fixed by vendor
2023-05-26: Advisory published by SCHUTZWERK

Contact/Credits

The vulnerability was discovered during an assessment by Lennert Preuth of
SCHUTZWERK GmbH.

References

[0] https://github.com/rii-mango/Papaya
[1] https://rii.uthscsa.edu/
[2] http://mangoviewer.com/pubs.html
[3] https://en.wikipedia.org/wiki/DICOM
[4] https://medimodel.com/sample-dicom-files/human_skull_2_dicom_file/
[5] https://dicom.offis.de/dcmtk.php.de
[6] https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_
Prevention_Cheat_Sheet.html
[7] https://github.com/cure53/DOMPurify

Disclaimer

The information in this security advisory is provided “as is” and without
warranty of any kind. Details of this security advisory may be updated
in order
to provide as accurate information as possible. The most recent version
of this
security advisory can be found at SCHUTZWERK GmbH’s website.
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmRwkEgaHGFkdmlzb3Jp
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvCEA//YsP7ZUvk9VLzp49DtsMP
HQF0ojoBmNZOi5fymVDRGScmMT5VLOsdp9EUEywPYxmxo1rPc4vv6gM3hQsQ7TRO
oAb9ZeZjvYy2Nyz6cy3wX4H2naFOHEr085Uwpg9pX5DAHkQVsseTi/n04u5PT5xP
Fnuozie/KOG4pmkkKFHmG6aWgUSXWZuq8japOghl6g35BmG7ntXG2OYsb7f5ITYw
ksRbJt+8wetrBsa/pR6ZfEkoEpyuFZg85EDpDRoBPVlGZtuSF6dh+WfO+9VQBjLE
dZwPRaXefHp/v89rEfWvkX3JGmGWh6P8KQ+puF3GHLcBa8iDIbW/HPfQHGuGhfIa
upZ1E+HtgpxInxelM/BcFKXSjD4AMnAULa2C6nWsdmw8GIKHHus+WQuK1z40R7N4
Vji59buH9SBWAWb7MuyRrdxoZSmAuxcR7lXVzHMxSOZm0W7J0d9luLL8XUn4kj8+
tRE24TgbdGyAYr/V6BO9RiYCtyWPji5VBtwFZLFlvKRo81zyS9nve651nWS7Fv/l
OGns4fGbEZ+sm/YuFdfyzg8TMJ0pqV0AswCnx9mSqWn3RRBHg55pE4i6IyUdofu/
eiaTl33oyGolW7rQ5ATtmsOgKp5jKb7rt3WVSBLn1D9+JJ8MfbDrvyUoTkIZaqEp
4bKAQKWvxQG8GpbKuQT4on0=
=IEuk
-----END PGP SIGNATURE-----

–
SCHUTZWERK GmbH, Pfarrer-Weiß-Weg 12, 89077 Ulm, Germany
Zertifiziert / Certified ISO 27001, 9001 and TISAX

Phone +49 731 977 191 0

[email protected] / www.schutzwerk.com

Geschäftsführer / Managing Directors:
Jakob Pietzka, Michael Schäfer

Amtsgericht Ulm / HRB 727391
Datenschutz / Data Protection www.schutzwerk.com/datenschutz