FS#65639 - Password Field In Account Update Page Allows For DOM Injection
Attached to Project:
AUR web interface
Opened by isomarcte (isomarcte) - Thursday, 27 February 2020, 15:21 GMT
Last edited by Lukas Fleischer (lfleischer) - Tuesday, 21 April 2020, 16:00 GMT
Opened by isomarcte (isomarcte) - Thursday, 27 February 2020, 15:21 GMT
Last edited by Lukas Fleischer (lfleischer) - Tuesday, 21 April 2020, 16:00 GMT
|
Details
AUR Version: 4.8.0 (I can't change the drop down, but it's
not 4.7.0)
On the AUR account management page, https://aur.archlinux.org/account/<account>/update/, attempts to use a password with a double quote character in it fail and allow a user to inject into the html DOM. For example, entering the following text in the `Password` field yields modifications to the DOM returned to user (see attached screenshot). Input: `"><p>Test</p><input value="` The consequences of this are, * Users with double quotes in their passwords will be unable to use that page. * It _may_ be possible for an attacker to use this trick a user into loading an attacker controlled DOM. It does look like AUR uses CSRF tokens, so I don't think this would be easy to exploit, but I've not looked into it too deeply. 
injection.png
(5.4 KiB)
|
This task depends upon
Closed by Lukas Fleischer (lfleischer)
Tuesday, 21 April 2020, 16:00 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 5.0.0.
Tuesday, 21 April 2020, 16:00 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 5.0.0.
Comment by
Lukas Fleischer (lfleischer) -
Thursday, 27 February 2020, 15:50 GMT
Thanks for reporting! A patch is on the pu branch. I also
hotpatched our live setup at aur.archlinux.org.