I am currently evaluating Jitsi for use within a corporate environment but in doing so I seem to have discovered an issue with the XMPP chat component.
When creating a group conversation it upgrades to a "chatroom" of sorts (it seems to function similar to IRC but I have little knowledge of the internals). This "IRC-like" functionality allows the room owner to change a subject and a nickname, which is expected.
Unfortunately it seems the "Change Nickname" functionality allows one to inject HTML. I have tested the following "names" without the single quotation marks.
'<h1>UGLY GREY BLOCK </h1>'
'<img src="https://jitsi.org/logo/jitsi_logo_876x1311.png" />'
'<img src="https://jitsi.org/logo/jitsi_logo_876x1311.png" width="10000" height="10000" />'
'<font color="#ff0000">I Stand Out</font>'
Fortunately variants of '<script>alert("XSS");</script>' do not appear to function (presumably because the subset of HTML that Swing panes support is limited to HTML 3.2!) but there are still implications:
- Users could make themselves look more important than they are through the use of "red text" or whatever and perform social engineering attacks.
- Users can perform DOS attacks by completely malforming the markup of the chat window, and embedding heavy assets.
- Users can grief other users through embedded image links etc. (use your imagination)
- Embedded resources are fetched immediately, which has repercussions with secure conversations. Information could potentially be leaked about who is in the channel (IPs etc) if a member of the channel embeds an image. 1x1px images may go undetected if participants do not pay attention to eg. the sidebar.
Apologies if there is a separate "responsible disclosure" procedure, but I couldn't find one and I deemed this low impact as one cannot run arbitrary scripts. I still believe it to be an important security consideration though.
I have only noticed the issue within the context of changing an individual's username in an XMPP conference chat, but this doesn't mean that is the only context that is affected. I will continue to keep my eye out for these issues: please let me know if there is a better place (or individual person) for me to be disclosing these to. If I discover anything more serious/exploitable of course I would try to find another avenue for responsibly disclosing these to the core development team.
As an aside and on an unrelated topic, would someone committing small patches (pull requests) need to sign the Contributor Licence Agreement? Information around Jitsi is a little bit muddled and outdated on the site (sometimes referring to older SVN repos, SIP Communicator, Java.net project pages etc) so I just want to make sure. I submitted a trivial one-liner about supporting chromium on Linux, but I would like to continue to contribute back any fixes or alterations that I make to https://www.github.com/smithev/smithchat-jitsi if they are applicable to the wider Jitsi community.
Smith Electric Vehicles
Birtley Road, Washington
Tyne & Wear