Multiple HTML and Javascript injections
Synopsis
Several vulnerabilities have been found in Kallithea, allowing attackers to inject malicious code into the administration pages.
Description
HTML and Javascript injection was possible in several places in the Kallithea UI, allowing attackers to run malicious code.
User details (first name, last name) as well as repository, repository group and user group descriptions were pasted unfiltered into the HTML code, thus attacker could inject their code by setting their first name to, for example:
<img src="/images/kallithea-logo.svg" onload="alert('Hello, World!');">
This would display an alert every time users administration page. Used against a user with administrator's access, this can expose sensitive information:
<img src="/images/kallithea-logo.svg"
onload="$.ajax({url:'/_admin/my_account/api_keys'}).done(function(data){
a=new RegExp('[0-9a-z]{40}','g');alert('Your API key is:'+
data.substr(data.search(a), 40));});">
Impact
As the vulnerability allows attacker to execute arbitrary code in the user's browser, it can be used to gain access to the user's account by stealing user's credentials, like API keys. In the case the user also has administrator rights, it is possible for the attacker to gain full administrator access to the Kallithea instance.
Resolution
Kallithea project has fixed this issue, and issued a patch and a bugfix release.
Users are recommended to apply the patch or to upgrade to the latest 0.2.1 release.
Affected versions
The issue is currently present in Kallithea versions before 0.2.1.
Acknowledgments
Thanks to Nick High for reporting this issue.
References
CVE-2015-1864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1864
Kallithea: Security Notice CVE-2015-1864 https://kallithea-scm.org/security/cve-2015-1864.html
Patch for the issue https://kallithea-scm.org/security/cve-2015-1864.patch
Mercurial changeset fixing the issue https://kallithea-scm.org/repos/kallithea/changeset/a8f2986afc18c9221bf99f88b06e60ab83c86c55