Giters

louislam / uptime-kuma

A fancy self-hosted monitoring tool

Home Page:https://uptime.kuma.pet

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

HTML Injection in uptime-kuma Status page

muhammadahmad62 opened this issue · comments

commented

DO NOT PROVIDE ANY DETAILS HERE. Please privately report to https://github.com/louislam/uptime-kuma/security/advisories/new.

Why need this issue? It is because GitHub Advisory do not send a notification to @louislam, it is a workaround to do so.

Your GitHub Advisory URL:
https://github.com/louislam/uptime-kuma/security/advisories/GHSA-ffvm-p92q-25c3

commented

It is a feature that users can add html code. Also it can be edited after logged in only. No unauthorized attacker can do this.

The implementation here:

uptime-kuma/src/pages/StatusPage.vue

Lines 580 to 602 in 88b7c04

incidentHTML() {
if (this.incident.content != null) {
return DOMPurify.sanitize(marked(this.incident.content));
} else {
return "";
}
},
descriptionHTML() {
if (this.config.description != null) {
return DOMPurify.sanitize(marked(this.config.description));
} else {
return "";
}
},
footerHTML() {
if (this.config.footerText != null) {
return DOMPurify.sanitize(marked(this.config.footerText));
} else {
return "";
}
},

commented

It is also sanitised.
If you have found a sanitisation escape please report this to https://github.com/cure53/DOMPurify/security instead.

Given that no such advisory has been published by the cure54..

commented

@muhammadahmad62 said:

Hi @louislam,

Thank you for your response. I understand that Markdown syntax is supported here, but HTML code, especially tags like <form>, should not be allowed. These can be exploited for Form Hijacking Vulnerabilities to harvest credentials from users. So the input should be further sanitized. Given this, I kindly request that you reconsider the assessment of this report.

Thank you for your attention to this matter.

Best regards,
@muhammadahmad62

But my point is everything can be done by admin only. I don't think admins would hack their own Uptime Kuma.

Also for examples, applications like Wordpress, GitHub (Code editor) also allow users to edit html code and deploy to production, are they exploited for Form Hijacking Vulnerabilities too?