here with correct email subject :) On 9/26/18 2:17 PM, SEC Consult Vulnerability Lab wrote: > SEC Consult Vulnerability Lab Security Advisory < 20180926-0 > > ======================================================================= > title: Stored Cross-Site Scripting > product: Progress Kendo UI Editor > vulnerable version: v2018.1.221 > fixed version: none, see workaround > CVE number: CVE-2018-14037 > impact: medium > homepage: https://www.progress.com/kendo-ui > found: 2018-04-23 > by: M. Tomaselli (Office Munich) > SEC Consult Vulnerability Lab > > An integrated part of SEC Consult > Europe | Asia | North America > > https://www.sec-consult.com > > ======================================================================= > > Vendor description: > ------------------- > "The Editor allows users to create rich text content by means of a WYSIWYG > interface. This HTML5 widget outputs identical HTML across all major browsers, > follows accessibility standards and provides an API for content manipulation. > The generated widget value is comprised of XHTML markup." > > https://www.telerik.com/kendo-ui/editor > > > Business recommendation: > ------------------------ > SEC Consult recommends to implement the workarounds provided by the vendor. > > > Vulnerability overview/description: > ----------------------------------- > The demo application of the Kendo UI Editor which is hosted at > https://demos.telerik.com/kendo-ui/editor/api implements a Sanitizer function > which should protect from cross site scripting. However, the implemented > Sanitizer fails to catch certain payloads which allow an attacker to execute > JavaScript in the context of the editor itself. > > > Proof of concept: > ----------------- > The following, incomplete list, of payloads can be used to trigger an alert > box in the API demo application of the Kendo UI Editor: > https://demos.telerik.com/kendo-ui/editor/api > > > <object > data="data:text/html;base64,PHNjcmlwdD5hbGVydCgic2VjdGVzdCIpPC9zY3JpcHQ+"></object> > <IFRAME SRC="javascript:alert('XSS');"></IFRAME> > <META > HTTP-EQUIV="refresh" > CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"> > > > > After a click on the button the setValue function on line 513 of the > beautified > "api.js" is called: > > var setValue = function () { > editor.value($("#value").val()); > }; > > > The value function is implemented in line 64383 of the beautified > "kendo.all.js" > file and defined as: > > value: function (html) { > var body = this.body, editorNS = kendo.ui.editor, options = > this.options, currentHtml = editorNS.Serializer.domToXhtml(body, > options.serialization); > if (html === undefined) { > return currentHtml; > } > if (html == currentHtml) { > return; > } > editorNS.Serializer.htmlToDom(html, body, > options.deserialization); > this.selectionRestorePoint = null; > this.update(); > this.toolbar.refreshTools(); > }, > > In order to mitigate certain XSS payloads the editorNS.Serializer.htmlToDom() > function is called which can be seen in the excerpt below: > > var Serializer = { > toEditableHtml: function (html) { > return (html || '').replace(/<!\[CDATA\[(.*)?\]\]>/g, > '<!--[CDATA[$1]]-->').replace(/<(\/?)script([^>]*)>/gi, > '<$1k:script$2>').replace(/<img([^>]*)>/gi, function (match) { > return match.replace(onerrorRe, ''); > }).replace(/(<\/?img[^>]*>)[\r\n\v\f\t ]+/gi, > '$1').replace(/^<(table|blockquote)/i, br + > '<$1').replace(/^[\s]*( |\u00a0)/i, > '$1').replace(/<\/(table|blockquote)>$/i, > '</$1>' + br); > }, > > Although certain payloads are detected and sanitized by the function, the > implemented protection fails to detect the data uri payload. The payload is > added unescaped to the editor DOM after several other functions calls. > > > Vulnerable / tested versions: > ----------------------------- > The following version has been identified to be vulnerable: > * v2018.1.221 > > > Vendor contact timeline: > ------------------------ > 2018-05-02: Contacting vendor through email for security contact > 2018-05-02: Contact person requests to obtain advisory via unencrypted mail > 2018-05-08: Advisory delivered through unencrypted email to vendor > 2018-05-29: Contacting vendor for current status and informing them about the > publishing date > 2018-07-02: Reminded the vendor that the advisory will be published soon > 2018-07-02: Multiple emails exchanged, vendor demands that customers need to > issue a support ticket on this case > 2018-07-03: Telling them that it is a security issue they already know two > months > without seemingly acting upon it. > Vendor: product managers have been informed and will contact us; > no further info > 2018-07-11: Asking vendor again for a status update & patch information > 2018-07-11: Vendor: "Thank you for following up. I have sent this to the > product > team to take into consideration. They will be following up with > you as > they may need. We appreciate you following up regarding this > request." > 2018-07-12: Detailed answer from vendor regarding workaround > 2018-07-13: Requested CVE number > 2018-09-26: Public release of security advisory > > > Solution: > --------- > There is no fix available from the vendor. Check the vendor's website for > potential future updates. > > > Workaround: > ----------- > The following workaround was provided by the vendor which has to be extended > in > order to mitigate all of the above mentioned payloads. > > ```quote > First, one thing to keep in mind with the Kendo UI Editor is that since it is > a HTML editor that many users implement in order take advantage of HTML > content > (compared to straight text). This means that while we often sanitize many > things (script tags, DOM event attributes, etc.) in order to prevent > cross-site scripting [...] there are certain cases that we cannot > automatically > sanitize because of use cases that customers of ours have – this being one of > them. > > Because the value that is set to the Editor is done through the jQuery method > `$(“#value”).val()` it is possible to sanitize or encode values before being > set to the editor. > > This is can be done through implementing some custom sanitations through the > `serialization.custom > <https://docs.telerik.com/kendo-ui/api/javascript/ui/editor/configuration/serialization.custom>`, > and > `deserialization.custom<https://docs.telerik.com/kendo-ui/api/javascript/ui/editor/configuration/deserialization>`, > options available in the Editor today. > ``` > > ```html > <!DOCTYPE html> > <html> > <head> > <meta charset="utf-8"> > <title>Untitled</title> > > <link rel="stylesheet" > href="https://kendo.cdn.telerik.com/2018.2.620/styles/kendo.common.min.css"> > <link rel="stylesheet" > href="https://kendo.cdn.telerik.com/2018.2.620/styles/kendo.rtl.min.css"> > <link rel="stylesheet" > href="https://kendo.cdn.telerik.com/2018.2.620/styles/kendo.default.min.css"> > <link rel="stylesheet" > href="https://kendo.cdn.telerik.com/2018.2.620/styles/kendo.mobile.all.min.css"> > > <script src="https://code.jquery.com/jquery-1.12.3.min.js"></script> > <script > src="https://kendo.cdn.telerik.com/2018.2.620/js/angular.min.js"></script> > <script > src="https://kendo.cdn.telerik.com/2018.2.620/js/jszip.min.js"></script> > <script > src="https://kendo.cdn.telerik.com/2018.2.620/js/kendo.all.min.js"></script></head> > <body> > <textarea id="editor"></textarea> > <script> > function sanitizeHtml(html) { > var temp = $("<div></div>").html(html); > temp.find("object").remove(); > return temp.html() || "\ufeff"; > } > > $("#editor").kendoEditor({ > tools: [ > "viewHtml" > ], > deserialization: { > custom: function(html) { > return sanitizeHtml(html); > } > }, > serialization: { > custom: function(html) { > return sanitizeHtml(html); > } > } > }); > > var editor = $("#editor").getKendoEditor(); > > editor.value('<object > data="data:text/html;base64,PHNjcmlwdD5hbGVydCgic2VjdGVzdCIpPC9zY3JpcHQ+"></object>'); > console.log(editor.value()); > </script> > </body> > </html> > ``` > > > Advisory URL: > ------------- > https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > SEC Consult Vulnerability Lab > > SEC Consult > Europe | Asia | North America > > About SEC Consult Vulnerability Lab > The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It > ensures the continued knowledge gain of SEC Consult in the field of network > and application security to stay ahead of the attacker. The SEC Consult > Vulnerability Lab supports high-quality penetration testing and the evaluation > of new offensive and defensive technologies for our customers. Hence our > customers obtain the most current information about vulnerabilities and valid > recommendation about the risk profile of new technologies. > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > Interested to work with the experts of SEC Consult? > Send us your application https://www.sec-consult.com/en/career/index.html > > Interested in improving your cyber security with the experts of SEC Consult? > Contact our local offices https://www.sec-consult.com/en/contact/index.html > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Mail: research at sec-consult dot com > Web: https://www.sec-consult.com > Blog: http://blog.sec-consult.com > Twitter: https://twitter.com/sec_consult > > EOF M. Tomaselli / @2018 >
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/