Kiwix deployments that don't redirect arbitrary path to content path are vulnerable to XXS injection

Question

Kiwix deployments that don't redirect arbitrary path to content path are vulnerable to XXS injection

ClevenL opened this issue 2 years ago · 4 comments

Sorry for being a bit vague.
I have identified some deployments of Kiwix that do not redirect arbitrary path to content path and therefore are vulnerable to XSS injection.

Deployment like this would trigger an XXS with eg. payload:
https://kiwix.example.domain/%22%3E%3Cimg%20src=X%20onerror=alert(1)%3E
https://library.kiwix.org/%22%3E%3Cimg%20src=X%20onerror=alert(1)%3E

library.kiwix.org redirects correctly to content path where the input is correctly sanitized.
https://library.kiwix.org/content/%22%3E%3Cimg%20src=X%20onerror=alert(1)%3E

What would be a solution to redirect the path to content? Is there a missing configuration? Since I have identified several deployments with this kind of issue then the deployment process might need updating to avoid the misconfiguration.

Answer 1 · 2023-03-14T12:48:44.000Z

What would be a solution to redirect the path to content?

The /content endpoint has been introduced in last release (12.0.0), so I would say : keep your deployement up to date :)

Answer 2 · 2023-03-22T16:34:34.000Z

Is kiwix-tools 3.1.2-3 from Debian bullseye (= current stable) also affected?
Shouldn't this warrant a CVE to inform downstream distributors and let them coordinate?

Answer 3 · 2023-03-27T21:06:59.000Z

@mgautierfr Do you mean this bug is fixed or inoperant in latest version of kiwix-serve?

Answer 4 · 2023-03-28T15:10:09.000Z

There was a (unknown at the time) bug in previous version where we was vulnerable to XSS injection.
With the introduction of the js viewer we have "fixed" this issue as we now correctly "sanitize" the input.

The fix is not especially related to the js viewer. Just that we have done things better when coding the /content endpoint.