[GH-ISSUE #228] Stored Cross-Site Scripting (XSS) #181

Closed
opened 2026-02-25 21:31:22 +03:00 by kerem · 11 comments
Owner

Originally created by @l4rm4nd on GitHub (Nov 27, 2020).
Original GitHub issue: https://github.com/ciur/papermerge/issues/228

Originally assigned to: @ciur on GitHub.

Description
Improper validation of user input leads to stored cross-site scripting (XSS) or HTML injection in the papermerge web application. If a user inserts JavaScript or HTML code into a folder name, the specified payload will be executed on opening the folder.

Expected
Specifying potentially malicious client side code should not be executed in the web application by the browser.

Actual
The browser successfully executes the specified JS or HTML payloads if the newly created folder is opened.

Steps to reproduce

  1. Login to papermerge web application https://demo.papermerge.com/admin/browse
  2. Create a new folder named "XSS Folder" without the quotes
  3. Open the newly created folder with XSS payload and experience a JavaScript XSS popup saying "XSS".

Impact
This may allow an attacker to steal sensitive session information or CSRF tokens for executing a Cross-Site Request Forgery attack.

Likelihood
Authentication is required to access the papermerge web application.

Recommendation
Do not trust any user input and validate inputs properly. See https://owasp.org/www-community/attacks/xss/

Info:
Tested in the publicly available demo page. https://demo.papermerge.com/admin/browse

Originally created by @l4rm4nd on GitHub (Nov 27, 2020). Original GitHub issue: https://github.com/ciur/papermerge/issues/228 Originally assigned to: @ciur on GitHub. **Description** Improper validation of user input leads to stored cross-site scripting (XSS) or HTML injection in the papermerge web application. If a user inserts JavaScript or HTML code into a folder name, the specified payload will be executed on opening the folder. **Expected** Specifying potentially malicious client side code should not be executed in the web application by the browser. **Actual** The browser successfully executes the specified JS or HTML payloads if the newly created folder is opened. **Steps to reproduce** 1. Login to papermerge web application https://demo.papermerge.com/admin/browse 2. Create a new folder named "XSS Folder<script>alert('XSS');</script>" without the quotes 3. Open the newly created folder with XSS payload and experience a JavaScript XSS popup saying "XSS". **Impact** This may allow an attacker to steal sensitive session information or CSRF tokens for executing a Cross-Site Request Forgery attack. **Likelihood** Authentication is required to access the papermerge web application. **Recommendation** Do not trust any user input and validate inputs properly. See https://owasp.org/www-community/attacks/xss/ **Info:** Tested in the publicly available demo page. https://demo.papermerge.com/admin/browse
kerem 2026-02-25 21:31:22 +03:00
Author
Owner

@l4rm4nd commented on GitHub (Nov 27, 2020):

Just a quick proof of concept:

grafik

<!-- gh-comment-id:734995125 --> @l4rm4nd commented on GitHub (Nov 27, 2020): Just a quick proof of concept: ![grafik](https://user-images.githubusercontent.com/21357789/100485646-26c36500-3101-11eb-8f2f-9c31259d47a1.png)
Author
Owner

@ciur commented on GitHub (Nov 28, 2020):

@l4rm4nd, really good one! Thank you for opening this security issue. I will fix it and ship it as part of 1.5.1 release.
Thank you!

<!-- gh-comment-id:735041938 --> @ciur commented on GitHub (Nov 28, 2020): @l4rm4nd, really good one! Thank you for opening this security issue. I will fix it and ship it as part of 1.5.1 release. Thank you!
Author
Owner

@l4rm4nd commented on GitHub (Nov 28, 2020):

BTW, this also works for uploaded file names.

Steps to reproduce

  1. Login to papermerge web application https://demo.papermerge.com/admin/browse
  2. Upload a new file with the name "><svg onload=alert(1)>.png
  3. Experience a JavaScript XSS popup saying "1".

Proof of concept
XSS PNG file uploaded in a "Test" folder of the demo papermerge webpage.
https://demo.papermerge.com/admin/browse#19

image

<!-- gh-comment-id:735227438 --> @l4rm4nd commented on GitHub (Nov 28, 2020): BTW, this also works for uploaded file names. **Steps to reproduce** 1. Login to papermerge web application https://demo.papermerge.com/admin/browse 2. Upload a new file with the name `"><svg onload=alert(1)>.png` 3. Experience a JavaScript XSS popup saying "1". **Proof of concept** XSS PNG file uploaded in a "Test" folder of the demo papermerge webpage. https://demo.papermerge.com/admin/browse#19 ![image](https://user-images.githubusercontent.com/21357789/100516118-ce807780-3181-11eb-87ee-6ceaa3eb79c1.png)
Author
Owner

@l4rm4nd commented on GitHub (Nov 28, 2020):

Payloads are also reflected in the logs area https://demo.papermerge.com/admin/logs
image

<!-- gh-comment-id:735227842 --> @l4rm4nd commented on GitHub (Nov 28, 2020): Payloads are also reflected in the logs area https://demo.papermerge.com/admin/logs ![image](https://user-images.githubusercontent.com/21357789/100516127-e3f5a180-3181-11eb-910b-3d46deeac1a0.png)
Author
Owner

@ciur commented on GitHub (Nov 28, 2020):

@l4rm4nd, oh, man, thank you for your security audit. I will fix issues in following days and release 1.5.1 with those security fixes.
Thanks again!

<!-- gh-comment-id:735241798 --> @ciur commented on GitHub (Nov 28, 2020): @l4rm4nd, oh, man, thank you for your security audit. I will fix issues in following days and release 1.5.1 with those security fixes. Thanks again!
Author
Owner

@l4rm4nd commented on GitHub (Nov 28, 2020):

Sure, no worries! Thanks for your fast replies and the will to fix the issues.

BTW, tags are also susceptible to XSS.

Steps to reproduce

  1. Upload a new document into the papermerge webapp
  2. Specify a new tag for the document and use "" without quotes
  3. Experience a JS popup with 0

grafik

<!-- gh-comment-id:735244670 --> @l4rm4nd commented on GitHub (Nov 28, 2020): Sure, no worries! Thanks for your fast replies and the will to fix the issues. BTW, tags are also susceptible to XSS. **Steps to reproduce** 1. Upload a new document into the papermerge webapp 2. Specify a new tag for the document and use "<script>alert(0)</script>" without quotes 3. Experience a JS popup with 0 ![grafik](https://user-images.githubusercontent.com/21357789/100519164-7bfd8600-3196-11eb-845a-93803d7ecb29.png)
Author
Owner

@ciur commented on GitHub (Nov 29, 2020):

fixes for XSS issues so far (work in progress):

  1. for folder titles
  2. for renaming documents/folders
  3. for tags
<!-- gh-comment-id:735352065 --> @ciur commented on GitHub (Nov 29, 2020): fixes for XSS issues so far (work in progress): 1. [for folder titles](https://github.com/ciur/papermerge/commit/5e724c25ffe74df9e7bec072f650fe5246f73040) 2. [for renaming documents/folders](https://github.com/ciur/papermerge/commit/78462819a8c9c94b3448ded7e82e5424390837f6) 3. [for tags](https://github.com/ciur/papermerge/commit/8d8e10227ae0ce3e8fa85b7d01a8a32656fad3d3)
Author
Owner

@ciur commented on GitHub (Nov 29, 2020):

@l4rm4nd
I released 1.5.1 which contains bug fixes plus partial fixing of this XSS - this is why current issue #228 is referenced in that release.
However fixing all XSS vector attacks requires significantly more changes.
Complete fix for XSS problems will be provided as part of 1.5.2. Release 1.5.2 will be entirely dedicated to XSS problems.
It will be out in a week.

Thank you again for your detailed audit!

<!-- gh-comment-id:735398208 --> @ciur commented on GitHub (Nov 29, 2020): @l4rm4nd I [released 1.5.1](https://github.com/ciur/papermerge/releases/tag/v1.5.1) which contains bug fixes plus partial fixing of this XSS - this is why current issue #228 is referenced in that release. However fixing all XSS vector attacks requires significantly more changes. Complete fix for XSS problems will be provided as part of 1.5.2. Release 1.5.2 will be entirely dedicated to XSS problems. It will be out in a week. Thank you again for your detailed audit!
Author
Owner

@l4rm4nd commented on GitHub (Nov 29, 2020):

Catching and preventing malicious user input such as XSS payloads with a custom regex might work, but is not complete.

I'm not an expert in Django but I remember some built-in escaping functions such as escape() and conditional_escape() which could be used.

from django.utils.html import escape

But I will also test some stuff after your fix release.

<!-- gh-comment-id:735400128 --> @l4rm4nd commented on GitHub (Nov 29, 2020): Catching and preventing malicious user input such as XSS payloads with a custom regex might work, but is not complete. I'm not an expert in Django but I remember some built-in escaping functions such as `escape()` and `conditional_escape()` which could be used. `from django.utils.html import escape` But I will also test some stuff after your fix release.
Author
Owner

@ciur commented on GitHub (Nov 30, 2020):

from django.utils.html import escape

@l4rm4nd, right! I added in several places escape(...) before saving to database.
Release which fixes above mentioned issues is 1.5.2

<!-- gh-comment-id:735845985 --> @ciur commented on GitHub (Nov 30, 2020): > from django.utils.html import escape @l4rm4nd, right! I added in several places escape(...) before saving to database. Release which fixes above mentioned issues is [1.5.2](https://github.com/ciur/papermerge/releases/tag/v1.5.2)
Author
Owner

@l4rm4nd commented on GitHub (Dec 3, 2020):

Identified XSS vectors mitigated by release 1.5.2

<!-- gh-comment-id:737569633 --> @l4rm4nd commented on GitHub (Dec 3, 2020): Identified XSS vectors mitigated by release 1.5.2
Sign in to join this conversation.
No milestone
No project
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/papermerge#181
No description provided.