Ask Question
« General Questions on Nuxeo

XSS in suggestion box

Hi everybody

recently we have found that when creating a user, Nuxeo allows you to set some fields like firstName or lastName with HTML code. See examples below:

curl -X POST -H "Content-Type: application/json" -u Administrator:Administrator -d '{ "entity-type": "user", "id":"xssuser", "properties":{"username":"xssuser", "email":"xss@athento.com", "lastName":"XSS attack!", "firstName":"<script>alert(\"You have been hacked!\");</script>", "password":"xsspasswd" } }' http://localhost:8080/nuxeo/api/v1/user

will result in the following situation type an image title

It is also possible to include the same fields in the creation-user form vía UI.

When you try to search the user using the suggestion box (on the top-right corner of the page) you'll get the following message:

type an image title

If you load the default search page and your compromising documents (users in this case) is included in the results page, the script code is also executed.

type an image title

The same happens when you change dc:title field or any field listed in the search layout.

¿Is it any bugfix around this?

Thanks,

FILES:   xss01.png   xss02.png   xss03.png
Paco Alías
Member (699)   1   3   4 		01/18/2016 ( History)
2 votes
2 answers
3708 views
ANSWER
Florent Guillaume
Hi Paco. Thanks for the report, we'll investigate ASAP. On what version of Nuxeo did you test?
01/19/2016
Paco Alías
6.0 is in the tags
01/19/2016
Paco Alías
Here are the screenshots with the documents issue 6.0-HF01
01/20/2016
ANSWERS

Hi,

The problem with the results in the top-right search box for a compromised user name (or document title in some situations) is fixed for the next releases and hotfixes (6.0-HF26, 7.10-HF04, 8.1). Our internal reference for this is NXP-18833 (the ticket is not yet public).

I couldn't reproduce any issue with the display of a compromised document title in search results. Could you expand on the exact issue? Note that previous XSS issues have been fixed, notably for Nuxeo 6.0-HF20, so you should make sure you test on the latest hotfix release.

Florent Guillaume
Member (36K)   6   8   8 		01/19/2016 ( History)
1 votes
Paco Alías
First of all, very thankful for your quick response. We will apply the hotfixes and let you know the results.

About the document issue, these are steps I've followed: 1- create a document comprimising dc:title and dc:description fields 2 - when the document was created (and the URL have been modified), click on the upper search link. 3 - the page layout is broken (I'll attach screenshots).

Not tested with the last hotfixes. Just 6.0-HF01.

Regards,

01/20/2016

Just a quick update. We've tested the same scenario with HF25 and got the same result. Users can be created with

<script>alert('hacked!');</script>

as first or last name.

Paco Alías
Member (699)   1   3   4 		02/02/2016 ( History)
0 votes
Florent Guillaume
Yes as I mentioned above it's fixed for the upcoming Nuxeo 6.0-HF26.
02/03/2016

Here are the screenshots with the documents issue 6.0-HF01

FILES:   xss_document_02.png   xss_document_03.png   xss_document_01.png
Paco Alías
Member (699)   1   3   4 		01/20/2016 ( History)
0 votes
Florent Guillaume
I couldn't reproduce this with the latest hotfix 6.0-HF25.
01/20/2016
Paco Alías
I will test as soon as I have the oportunity. Thanks.
01/20/2016
Follow
Tags
Linked Questions
Related Questions
Is there a way to replace the suggester in default search boxes?
Fulltext search cause "Suggestion Box" error
What determines how special character are processed when using suggested search box ?
Troubles configuring search on metadata
Problems with Facets: schema property values of document not being saved
[select2] Filter the values of widget "Single Directory Suggestion"
Active Directory connection only login new users and not old ones
Adding new DocTypes to map CMIS variables.
multi tenant LDAP user isolation