'[oss-security] XSS in BigBlueButton < 2.2.6'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] XSS in BigBlueButton < 2.2.6
From:       Hanno =?iso-8859-1?q?B=F6ck?= <hanno () hboeck ! de>
Date:       2020-05-14 8:21:17
Message-ID: 20200514102117.78d600ac () computer
[Download RAW message or body]

BigBlueButton was vulnerable to Cross Site Scripting in the
Presentation upload.

When one uploads a presentation that is an HTML payload, but named as
an image (e.g. "foo.png") and allows download the download would be
served with an HTML mime type and executed in the browser.

Proof of concept:
* create file named foo.png with content:
<html><script>alert(document.domain)</script>
* Upload as presentation, allow download.
* Click on download.

I reported this to the BigBlueButton developers, but was informed that
at this point it was already fixed. It was previously reported here [1].


[1] https://github.com/bigbluebutton/bigbluebutton/pull/9102

-- 
Hanno Böck
https://hboeck.de/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic