1. Janos SUTO Avatar Janos SUTO
  2. Piler
  3. piler
  4. Issues

Insecure display of HTML messages in search results

Issue #761 resolved
Tobias Demuth created an issue

We recently discovered that if a user opens an email from our JIRA instance in the WebUI, all links are changed to start with the JIRA url, not with the archive url.

Upon further investigation I found that when the content of the preview pane is loaded, the HTML is embedded in the current page. For our JIRA mails the response of the AJAX call to message.php looks like:

<div id="restorebox" class="alert alert-general">
</div>

<div class="messageheader">
...
</div>

<div id="notesbox" class="input-prepend input-append">
...
</div>


<div id="messageblock">

<div class="messageheader">
...
</div>
<div class="messagecontents">

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head> 
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> 
        <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0"> 
        <base href="https://jira.example.com"> 
        <title>Message Title</title> 
    </head> 
    <body> 
....
    </body>
</html>

</div>

</div>

For one: I'm pretty sure that the nodes DOCTYPE, html, head and body are allowed only once per page.

What causes the real trouble is the <base node: this sets the new base URL for all relative links.

Furthermore I think that the HTML content of a mail isn't properly sanitized and a specially crafted mail could lead to a XSS vulnerability. At the very least it's possible to hijack the current session.

Comments (8)

  2. Janos SUTO repo owner

    I'll check the issue. For the alleged xss problem I need some proof of concept I could try.

  3. Former user Account Deleted

    Injecting a <script> block into an HTML mail is filtered:

    <html><head><body><!-- disabled javascript here --></html>

    However, using (for example) onmouseover isn't: Send yourself an HTML email with the following content:

    #!
... Standard mail headers
Content-Type: text/html; charset="utf-8"

<html><body><p onmouseover="alert('test')">test</p></body></html>

    and browse the mail in the WebUI. Once you hover over the preview pane, the script gets executed.

    <link> tags in HTML are fetched too. At the minimum, this can be used to track users.

    Instead of taking the blacklist approach an trying to remove bad content, the WebUI should scrub the mail content ruthlessly before passing it to the preview pane.

  4. Janos SUTO repo owner

    Thanks for your input, I'll give html purifier a shot. I'll let you know when it can be tested.

  5. Janos SUTO repo owner

    OK, I think I've nailed it. Get the latest master branch (see the download area), and update the webui, then see if html purifier does its job properly or not.

  7. Former user Account Deleted

    Thank you for the fast fix! I've updated the Web UI and can confirm that the mail content is now properly sanitized.

  9. Log in to comment
Assignee
Type
bug
Priority
critical
Status
resolved
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!