GNOME Bugzilla – Bug 662035
HTML injection in nicknames
Last modified: 2011-10-24 08:35:38 UTC
Hello, I wrote to you to announce a bug: when a person joins a room, with the nickname "<img src="42"> onerror =" window.location = 'http://linkmauve.fr/' "/>" for example, empathy opens the web page (here linkmauve.fr), the page of the show, which gene but users are accessing web sites sometimes unwanted.
Created attachment 199265 [details] screenshot of the bogue
This is a severe security issue, since it’s possible to execute ANY javascript (that webkit can execute) code on the remote computer, crash, data leaks, etc. A possible fix is to just html-escape every nickname in the conversation theme. Also note that this doesn’t happen anymore on more recent empathy version since it doesn’t use webkit for its theming anymore, AFAIK.
Actually, my bad, it happens with the last version. It just depends on the theme used. The default themes don’t seem to be broken, but a “ubuntu” theme, provided by default in ubuntu has this issue. It happens also with the default theme in older versions (2.x).
I didn't manage to reproduce this bug. Are you using the "Personnal Information" dialog to set your alias? What are you exactly (without any extra "") entering in the Alias entry?
You need to use the theme named “ubuntu” (maybe other non-default themes are vulnerable, I do not know), it is provided by default in Ubuntu at least. You need to join a Jabber/XMPP MultiUserChat room (doesn’t work on IRC due to the restrictions in the allowed chars by the IRC protocol). Also join that same room from any other client, and with that other client, change your nick to exactly this: <img src="42" onerror="window.location='http://google.com'"/> (some client may not allow such a strange nick to be taken, but this is a perfectly legit nick on the XMPP protocol). Then, with that same account, send a message on that room. This will make the nick be displayed by the theme, which will make empathy interpret the HTML, executing the Javascript code as well.
Note that this is a security issue, because the bug is triggered by any REMOTE participant in the room, letting anyone execute any Javascript code on the local empathy.
Reproduced thanks, that's indeed a very nasty bug.
Created attachment 199347 [details] [review] theme_adium_append_message: escape alias before displaying it Not doing so can lead to nasty HTML injection from hostile users.
Created attachment 199348 [details] [review] theme_adium_append_message: escape alias before displaying it Not doing so can lead to nasty HTML injection from hostile users.
Review of attachment 199348 [details] [review]: Looks about right to me.
Merged to master; I'll push to 3.2 as well. Attachment 199348 [details] pushed as 739aca4 - theme_adium_append_message: escape alias before displaying it
Just as a note, this issue was assigned the name CVE-2011-3635.
Shouldn't the nickname in /me-type events also be escaped? In other words, I think that name_escaped should be used instead of name in /* If this is a /me probably */ if (action) { gchar *str; if (priv->data->version >= 4 || !priv->data->custom_template) { str = g_strdup_printf ("<span class='actionMessageUserName'>%s</span>" "<span class='actionMessageBody'>%s</span>", name, body_escaped); } else { str = g_strdup_printf ("*%s*", body_escaped); } g_free (body_escaped); body_escaped = str; }
Good catch; I checked all the calls to theme_adium_append_html() but didn't realise /me was using another code path. Fixed in master and 3.2.
Created attachment 199797 [details] [review] theme_adium_append_message: escape alias before displaying it Not doing so can lead to nasty HTML injection from hostile users.
^ Here is the full patch for patching purposes.