Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20200514102117.78d600ac@computer>
Date: Thu, 14 May 2020 10:21:17 +0200
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: XSS in BigBlueButton < 2.2.6

BigBlueButton was vulnerable to Cross Site Scripting in the
Presentation upload.

When one uploads a presentation that is an HTML payload, but named as
an image (e.g. "foo.png") and allows download the download would be
served with an HTML mime type and executed in the browser.

Proof of concept:
* create file named foo.png with content:
<html><script>alert(document.domain)</script>
* Upload as presentation, allow download.
* Click on download.

I reported this to the BigBlueButton developers, but was informed that
at this point it was already fixed. It was previously reported here [1].


[1] https://github.com/bigbluebutton/bigbluebutton/pull/9102

-- 
Hanno Böck
https://hboeck.de/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.