From security@ email
GitHub Security Lab (GHSL) Vulnerability Report: GHSL-2020-336 The GitHub Security Lab team has identified potential security vulnerabilities in wikimedia/analytics-quarry-web. We are committed to working with you to help resolve these issues. In this report you will find everything you need to effectively coordinate a resolution of these issues with the GHSL team. If at any point you have concerns or questions about this process, please do not hesitate to reach out to us at securitylab@github.com (please include GHSL-2020-336 as a reference). If you are NOT the correct point of contact for this report, please let us know! Summary A reflected Cross-Site scripting (XSS) vulnerability has been found in analytics-quarry-web Product https://github.com/wikimedia/analytics-quarry-web Tested Version Latest commit at the time of reporting (December 14, 2020). Details The server responds with return Response(json.dumps(...)) without setting proper mime-type (application/json). This becomes problematic for the preference handling defined here: https://github.com/wikimedia/analytics-quarry-web/blob/085a51b2dee8b58882276d9fe090174252edb85e/quarry/web/app.py#L395-L412 You can exploit this vulnerability by tricking a logged in user to visit vulnerable URL. PoC: Visit official Quarry site https://quarry.wmflabs.org/ or follow setup instructions on repo. (I found official site from here) Log in with a wiki-media acocunt Visit vulnerable URL: https://quarry.wmflabs.org/api/preferences/get/%3Cimg%20src=0%20onerror=alert(0)%3E Impact XSS can cause a variety of problems for the end user that range in severity from an annoyance to complete account compromise. The most severe XSS attacks involve disclosure of the user’s session cookie, allowing an attacker to hijack the user’s session and take over the account. GitHub Security Advisories We recommend you create a private GitHub Security Advisory for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are published. Credit This issue was discovered and reported by CodeQL Python team. Contact You can contact the GHSL team at securitylab@github.com, please include GHSL-2020-336 in any communication regarding this issue. Disclosure Policy This report is subject to our coordinated disclosure policy.