Possible XSS attack through external link in site menu items
Issue date: 23-03-2018Affects versions: 12.1, 12.0, 11.2, 10.2
Issue ID: SECURITY-42
Affected Product Version(s)
This vulnerability applies to CMS 10.2.8, CMS 11.2.4, CMS 12.0.3 and CMS 12.1.0 and earlier versions.
Severity
low
Description
In the Channel Manager's Menu Editor, site menu items of type external link allowed injection of javascript which might be exploited for an attempted XXS attack when on a rendered page with the menu item an end user select (clicks) the external link.
Besides direct javascript injection using the javascript: protocol, it also is possible to use the data: protocol with a base64 encoded data value with the javascript injection embedded.
This vulnerability is only exploitable by an authenticated CMS user with webmaster privileges. As such the severity for this vulnerability is low.
Instructions
For all current supported CMS versions this vulnerability has been fixed, through code changes only, and only requires updating to the latest maintenance releases: CMS 10.2.9, CMS 11.2.5, CMS 12.0.4 or CMS 12.1.1.
The applied fix, HSTTWO-4212 (and backports thereof), by default prevents (actively removes) usage of javascript: or data: protocols in external links for site menu items.
If really needed when using site menu external links which require javascript execution, it is possible to disable this security fix at build time, retaining the previous behavior, by adding the following configuration to the site hst-config.properties file:
sitemenu.externallink.omitJavascriptProtocol = false
Disabling this security fix is not advised though as this then still allows potential XSS attacks as described above!
While this vulnerability unlikely has been exploited, the fix will only prevent future misuse, e.g. will be applied when a new site menu item is added or existing content is modified.
To make sure existing content is free from this vulnerability, customers are strongly recommended to have an administrator run the check/report script below with the Updater Editor, after upgrading to the latest maintenance release!
SiteMenuItemExternalLinkCheck script
The following reporting-only Groovy script can be executed by an administrator in the CMS Updater Editor after the maintenance upgrade (the script depends on some of the fixes and improvements) using the following settings:
Name: HtmlDataProtocolCheck Select node using XPath query: //element(*, hst:sitemenuitem)[@hst:externallink] Batch Size: 1000
Script content:
package org.hippoecm.frontend.plugins.cms.admin.updater;
import org.hippoecm.repository.util.JcrUtils
import org.htmlcleaner.Utils
import org.onehippo.repository.update.BaseNodeUpdateVisitor
import javax.jcr.Node
import javax.jcr.RepositoryException
class SiteMenuItemExternalLinkCheck extends BaseNodeUpdateVisitor {
boolean doUpdate(Node node) throws RepositoryException {
String value = JcrUtils.getStringProperty(node, "hst:externallink", null);
if (value != null) {
value = Utils.escapeXml(value.trim().toLowerCase(), true, true, true, false, false, false, true)
.replaceAll("[\n\r\t]", "")
}
if (value.startsWith("javascript:") || value.startsWith("data:")) {
value = value.length() <= 70 ? value : value.substring(0, 67) + "...";
log.info("Found \"javascript:\" or \"data:\" protocol usage in property hst:externallink at " + node.getPath() +
":\n \"" + value + "\"\n");
}
return false
}
boolean logSkippedNodePaths() {
return false;
}
boolean skipCheckoutNodes() {
return true
}
boolean undoUpdate(Node node) {
throw new UnsupportedOperationException();
}
}
After executing the above script, which might take some time depending on the number of site menu items, it will report in which menu items javascript: or data: protocol usage(s) have been detected, if any.
Reported usages then can be fixed manually by editing and updating those site menu items, and if needed (re)publishing the channel they belong to.
Alternatively, an adminstrator also can use the reported site menu item node paths to navigate to and modify (or remove) the hst:externallink property directly through the CMS Console.