Flaw allowed malicious JavaScript to be embedded in an SVG file

A cross-site scripting (XSS) vulnerability in PrivateBin, the open source secure pastebin, has been patched

A cross-site scripting (XSS) vulnerability in PrivateBin, the open source secure pastebin, has been patched.

PrivateBin, a fork of the popular ZeroBin, is an online tool used to store information and is is encrypted/decrypted in the browser using 256 bits AES, meaning that the server has “zero knowledge of pasted data”.

Discovered by Ian Budd of security firm Nethemba, the flaw allows malicious JavaScript code to be embedded in an SVG image file, which can then be attached to pastes.


Read more of the latest security news about open source software


If a user opens a paste with a specifically crafted SVG attachment and interacts with the preview image while the instance isn’t protected by an appropriate content security policy, an attacker can also execute code.

“It is very easy to create the payload and send to other users,” Budd tells The Daily Swig.

“The tricky part is that the user would have to open the image preview in a new tab –details of how this can be realistically achieved has been detailed by PrivateBin in their report.

“Upon successful execution, it could allow access to unprotected cookies, local storage data, session storage data, etc, for other applications running on the same domain, where said cookies are present on the victim’s browser. This may include authentication tokens.”

Low chance of attack

Budd says the chances of an attack succeeding would be relatively low, as it explicitly requires user-interaction, and because potential exploit code can only run in a new tab.

“PrivateBin had already done a great job at creating a Content Security Policy (CSP) which mitigated the issue,” he says.

“The vulnerability was found when either using a browser which did not respect or follow this CSP or sites for which the default CSP had been edited, lowering the effectiveness.”

However, Nethemba found multiple instances in its instance lists that appeared to either strip the CSP or had it changed to an unsafe setting, with two that had attachments enabled and thus were vulnerable to the attack.

There were no reports, though, of the vulnerability being actively exploited.

Disclosure

The flaw was reported on February 22, with details published on April 9.

“Disclosure was straightforward. We communicated with Simon Rupf who ran his own series of tests and kept us informed of his findings,” says Budd.

“We discussed mitigations and PrivateBin kept us informed each step of the way.”

PrivateBin says it has mitigated the vulnerability in the preview, and is encouraging server administrators to either upgrade to a version with the fix or to ensure the CSP of their instance is set correctly. It has also expanded its directory listing tool to include a checking mechanism.


YOU MAY ALSO LIKE Git security vulnerabilities prompt updates