A Pressbooks stored cross site scripting vulnerability was discovered in all version ≤ 5.17.3. The application is vulnerable to Stored Cross-Site Scripting (XSS) injections via description body. An attacker can thus trick a user into clicking on a malicious link or preview the document that contains the JavaScript code. Once triggered, the malicious JavaScript code is fed in the victim’s browser and executed.

Pressbooks is an open-source book content management system that exports in multiple formats: ebooks, webbooks, print-ready PDF, and various XML flavours. The system is built on top of WordPress Multisite.

Pressbooks Logo
Pressbooks Logo
A Pressbooks stored cross site scripting vulnerability was discovered in all version ≤ 5.17.3. The application is vulnerable to Stored Cross-Site Scripting (XSS) injections via description body. An attacker can thus trick a user into clicking on a malicious link or preview the document that contains the JavaScript code. Once triggered, the malicious JavaScript code is fed in the victim’s browser and executed.

Pressbooks is an open-source book content management system that exports in multiple formats: ebooks, webbooks, print-ready PDF, and various XML flavours. The system is built on top of WordPress Multisite.

To exploit the vulnerability, an attacker needs to create an account, which will create a book in which they will edit the description body of the book info with their malicious code. Only basic JavaScript coding knowledge is required to perform such attacks. A successful attack can lead the attacker to obtain the victim’s session cookie. A valid attack scenario would be to clone the applications login page within the malicious HTML file. Once opened or previewed it would alert the end user that their session has expired promoting them to enter their credentials. This could lead to account takeover.

The steps to reproduce this XSS are to go to the “book info” page and then under the “long description” insert the following code:

pressbooks-blog-image-2
Inject the following code into the “Long Description”:
<html>
<body>
<img src=# onerror=alert(document.cookie)>
</body>
</html>
Then the book information is saved.
pressbooks-blog-image-3
The XSS will trigger every time a user visits the published pressbook book.
pressbooks-blog-image-4

Impact

Stored cross site scripting.

A valid attack scenario would be to clone the applications login page, store it within the malicious HTML file. Once opened it would alert the end user that their session has expired promoting them to enter their credentials. This could lead to account takeover.

Technical Analysis

Entries entered by users should by systematically validated before processing and storage. Pressbooks should not allow HTML entities to be reflected onto the page. The use of character allow lists via strict regular expression on entries is the most effective means of mitigation against this type of attack. In addition, it is highly recommended to systematically encode user or database data into an inert format for Web browsers before sending them back to the user. The lack thereof of such implementation lead to stored cross site scripting.

Vendor Response

The Pressbooks development team sanitizes metadata book info metaboxes to prevent XSS attacks on fields that allows HTML input, this uses Htmlawed to filter and sanitize the input values. The security flaw in the pressbooks application was resolved with a pull-request merged into the dev branch of the main Pressbooks repository which addresses this vulnerability. A stable version of Pressbooks was released in late January of 2021 which includes this fix.

Timeline

  • Disclosed to the vendor January 1st, 2021
  • Acknowledged and fix was published to the dev branch on January 13th, 2021
  • Retests confirmed fix of vulnerability January 13th, 2021
  • CVE assigned January 22nd, 2021

Conclusion

Unsanitized user-input continues to be a concern in Web applications even after years of developer awareness. Although a textbook XSS, we believe publishing proof of concept for vulnerabilities like this is important as an incentive for organizations to patch.

Assigned CVE-2021-3271

Clients of GoSecure Managed Detection and Response (MDR) with the Network Detection and Response component have detection capabilities in-place in case of exploitation of this vulnerability.

Pin It on Pinterest

Share This