[jitsi-dev] Minor XSS Problem with XMPP Conference chats


#1

Hi All,

I am currently evaluating Jitsi for use within a corporate environment but in doing so I seem to have discovered an issue with the XMPP chat component.

When creating a group conversation it upgrades to a "chatroom" of sorts (it seems to function similar to IRC but I have little knowledge of the internals). This "IRC-like" functionality allows the room owner to change a subject and a nickname, which is expected.

Unfortunately it seems the "Change Nickname" functionality allows one to inject HTML. I have tested the following "names" without the single quotation marks.

'<a href="http://google.com">XSS</a>'
'<h1>UGLY GREY BLOCK </h1>'
'<img src="https://jitsi.org/logo/jitsi_logo_876x1311.png" />'
'<img src="https://jitsi.org/logo/jitsi_logo_876x1311.png" width="10000" height="10000" />'
'<font color="#ff0000">I Stand Out</font>'

Fortunately variants of '<script>alert("XSS");</script>' do not appear to function (presumably because the subset of HTML that Swing panes support is limited to HTML 3.2!) but there are still implications:

- Users could make themselves look more important than they are through the use of "red text" or whatever and perform social engineering attacks.
- Users can perform DOS attacks by completely malforming the markup of the chat window, and embedding heavy assets.
- Users can grief other users through embedded image links etc. (use your imagination)
- Embedded resources are fetched immediately, which has repercussions with secure conversations. Information could potentially be leaked about who is in the channel (IPs etc) if a member of the channel embeds an image. 1x1px images may go undetected if participants do not pay attention to eg. the sidebar.

Apologies if there is a separate "responsible disclosure" procedure, but I couldn't find one and I deemed this low impact as one cannot run arbitrary scripts. I still believe it to be an important security consideration though.

I have only noticed the issue within the context of changing an individual's username in an XMPP conference chat, but this doesn't mean that is the only context that is affected. I will continue to keep my eye out for these issues: please let me know if there is a better place (or individual person) for me to be disclosing these to. If I discover anything more serious/exploitable of course I would try to find another avenue for responsibly disclosing these to the core development team.

···

----

As an aside and on an unrelated topic, would someone committing small patches (pull requests) need to sign the Contributor Licence Agreement? Information around Jitsi is a little bit muddled and outdated on the site (sometimes referring to older SVN repos, SIP Communicator, Java.net project pages etc) so I just want to make sure. I submitted a trivial one-liner about supporting chromium on Linux, but I would like to continue to contribute back any fixes or alterations that I make to https://www.github.com/smithev/smithchat-jitsi if they are applicable to the wider Jitsi community.

----
Toby Pinder | Software Developer
E. toby.pinder@smithelectric.com
W. www.smithelectric.com

Smith Electric Vehicles
Birtley Road, Washington
Tyne & Wear
United Kingdom
NE38 9DA


#2

Thanks for the report. Does this affect only Jitsi or have you tested
it with other IM clients (e.g., Pidgin or Adium)?

Peter

- --
Peter Saint-Andre
https://stpeter.im/

···

On 9/11/13 10:50 AM, Toby Pinder wrote:

Hi All,

I am currently evaluating Jitsi for use within a corporate
environment but in doing so I seem to have discovered an issue
with the XMPP chat component.

When creating a group conversation it upgrades to a "chatroom" of
sorts (it seems to function similar to IRC but I have little
knowledge of the internals). This "IRC-like" functionality allows
the room owner to change a subject and a nickname, which is
expected.

Unfortunately it seems the "Change Nickname" functionality allows
one to inject HTML. I have tested the following "names" without
the single quotation marks.

'<a href="http://google.com">XSS</a>' '<h1>UGLY GREY BLOCK </h1>'
'<img src="https://jitsi.org/logo/jitsi_logo_876x1311.png" />'
'<img src="https://jitsi.org/logo/jitsi_logo_876x1311.png"
width="10000" height="10000" />' '<font color="#ff0000">I Stand
Out</font>'


#3

I have not tested with any other clients. It seems to be entirely a client-side filtering thing, so it would only really affect other clients if they used the same "HTML3.2ified" Swing UI widgets as Jitsi does. Changing the name only seems to take effect in the main chat portion. The list of users to the right displays the raw name perfectly normally, without parsing it as HTML.

Changing the subject of the conference has a similar behaviour: the title at the top of the UI is perfectly fine but the "<<X>> has changed the subject to <<Y>>" message is manipulatable through HTML.

If you are looking to do a comprehensive check for these issues I would suggest that anything that puts user input into these rich text, main chat windows be checked to see if it's sanitized, but for now I will be doing a bit of manual "black box" testing where time allows. Hopefully the conference stuff is an exception, but if not I'll report back.

···

-----Original Message-----
From: Peter Saint-Andre [mailto:stpeter@stpeter.im]
Sent: 11 September 2013 17:54
To: Jitsi Developers
Cc: Toby Pinder
Subject: Re: [jitsi-dev] Minor XSS Problem with XMPP Conference chats

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/11/13 10:50 AM, Toby Pinder wrote:

Hi All,

I am currently evaluating Jitsi for use within a corporate environment
but in doing so I seem to have discovered an issue with the XMPP chat
component.

When creating a group conversation it upgrades to a "chatroom" of
sorts (it seems to function similar to IRC but I have little knowledge
of the internals). This "IRC-like" functionality allows the room owner
to change a subject and a nickname, which is expected.

Unfortunately it seems the "Change Nickname" functionality allows one
to inject HTML. I have tested the following "names" without the single
quotation marks.

'<a href="http://google.com">XSS</a>' '<h1>UGLY GREY BLOCK </h1>'
'<img src="https://jitsi.org/logo/jitsi_logo_876x1311.png" />'
'<img src="https://jitsi.org/logo/jitsi_logo_876x1311.png"
width="10000" height="10000" />' '<font color="#ff0000">I Stand
Out</font>'

Thanks for the report. Does this affect only Jitsi or have you tested it with other IM clients (e.g., Pidgin or Adium)?

Peter

- --
Peter Saint-Andre
https://stpeter.im/


#4

OK, thanks. I'm the author of the XMPP conference specification, so I
was wondering if this is a more generalized issue. If it's specific to
Jitsi then I'll let our Jitsi friends tell us how it can be solved. :slight_smile:

Peter

- --
Peter Saint-Andre
https://stpeter.im/

···

On 9/11/13 11:06 AM, Toby Pinder wrote:

I have not tested with any other clients. It seems to be entirely a
client-side filtering thing,


#5

Hello,

Could you please open a ticket for this issue at
[1]?

···

--
Regards,
Hristo.

[1] https://jitsi.org/Development/BugsAndIssues

On Wed, Sep 11, 2013 at 8:18 PM, Peter Saint-Andre <stpeter@stpeter.im>wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/11/13 11:06 AM, Toby Pinder wrote:
> I have not tested with any other clients. It seems to be entirely a
> client-side filtering thing,

OK, thanks. I'm the author of the XMPP conference specification, so I
was wondering if this is a more generalized issue. If it's specific to
Jitsi then I'll let our Jitsi friends tell us how it can be solved. :slight_smile:

Peter

- --
Peter Saint-Andre
https://stpeter.im/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSMKX1AAoJEOoGpJErxa2pdY8P/AmB7Nv3DCd+82ThRUt8+Jwm
h0EitoHVgsuf97kLYyJhH3iYsHqtMVMU+kW4ecYvBlJL/jb6QorH/Nxh4MQVrDpy
kozBeybVzrL+g8RQus/I1fZms/viBtpT76dJgZPFPvSjQ/7Vr+dKnJtdXyT10Bkk
WF2USBgu7eGH6XceYiOaCUtK3T3NY1SB+KoNhWSd6qJrd3siFn4vg5HEcy4mGFj0
84MTXnKvOpxN0ahidxjJ4qkDVPVUK3zzAgjF+o497VEKcR3BW+NgtPrx7CelNt3S
U6WXgHi3JbXfz/dpt+61b6SX4HDJ7/5RVBg9DcFMS1DdOEc/VvK3DolngKevGfED
v8InQkCQerQWAlkJAtKANh7ig2I0Hxj1HOY6QJvhAEmDjXVEujVPRXHxnpDZ/OFW
6RxiQ28apT7z44fJjnCaa01totkxQ7auU4vZaKHHG82jWqPSqUuPBBpf4baBbrrw
z40TDT63oST2PHYEd54cqmElm1u4GlzHsk/VElAfIUa5RTZgRlnafuS9kefgRkiE
kXq8S/NzHLXEyspJtgbgDFNqjsJhaVaMXS1IPxFGrWk4IkwQVtlKOxadfXRs3gvd
2lD5bParkV49h/GseP0pXT7PIp7LB48nGCoB7ruu+CZhbtUgtvhG9QnJY4Rb/3Wi
2VWhFMVe/Zo4+dUBH/BW
=qBGE
-----END PGP SIGNATURE-----

_______________________________________________
dev mailing list
dev@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev


#6

Done here: https://trac.jitsi.org/ticket/1216. Please reassign the priority as needed, I just took a wild stab in the dark on that.

···

On 12/09/13 08:08, Hristo Terezov wrote:
Hello,

Could you please open a ticket for this issue at
[1]?

--
Regards,
Hristo.

[1] https://jitsi.org/Development/BugsAndIssues

On Wed, Sep 11, 2013 at 8:18 PM, Peter Saint-Andre <stpeter@stpeter.im<mailto:stpeter@stpeter.im>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 9/11/13 11:06 AM, Toby Pinder wrote:

I have not tested with any other clients. It seems to be entirely a
client-side filtering thing,

OK, thanks. I'm the author of the XMPP conference specification, so I
was wondering if this is a more generalized issue. If it's specific to
Jitsi then I'll let our Jitsi friends tell us how it can be solved. :slight_smile:

Peter

- --
Peter Saint-Andre
https://stpeter.im/

_______________________________________________
dev mailing list
dev@jitsi.org<mailto:dev@jitsi.org>
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/dev

--
Toby Pinder | Telemetry Software Engineer

Switchboard +44 (0)845 077 9077
Office Phone: + 44 191 419 7135
Mobile Phone: + 44 (0)7821 036 600

E. toby.pinder@smithelectric.com<mailto:ross.cooney@smithelectric.com>
W. www.smithelectric.com<http://www.smithelectric.com/>

[cid:part11.05040805.04040506@smithelectric.com]

This email and any attachments thereto may contain private, confidential, and privileged material for the sole use of the intended recipient. Any review, copying, or distribution of this email (or any attachments thereto) by others is strictly prohibited. If you are not the intended recipient, please contact the sender immediately and permanently delete the original and any copies of this email and any attachments thereto.