XSS in markdown rendering

[SoufElhabti]

NetBox version

v3.0.9

Python version

3.8

Steps to Reproduce

1. installed Netbox from docker https://hub.docker.com/r/netboxcommunity/netbox/
2. use any input that accepts markdown
3. submit this payload :

[37qpypz37qpypz37qpypz37qpypz37qpypz]  
37qpypz37qpypz37qpypz37qpypz37qpypz]: javascript:alert(1)

4. when the submiting the for click the link and the xss will fire up

Expected Behavior

the payload is dangerous and allowing XSS attack

Observed Behavior

executing javascript in admin dashboard

[jeremystretch]

2. use any input that accepts markdown

Please specify exactly what you're doing.

[SoufElhabti]

when for example a adding a site in /dcim/sites/ in the comment section submit the payload

 [37qpypz37qpypz37qpypz37qpypz37qpypz]  
37qpypz37qpypz37qpypz37qpypz37qpypz]: javascript:alert(1)

if this wasn't helpful please refer to the video i recorded for the POC
POC VIdeo

[jeremystretch]

I'm not able to reproduce this on NetBox v3.0.9. I just see the plain string as entered. It's possible this may be unique to the docker image, in which case you'll need to open a separate bug against that project. What version of Markdown do you have installed?

[SoufElhabti]

sorry for giving you hard time reproducing it. It is :

 [37qpypz37qpypz37qpypz37qpypz37qpypz]  
[37qpypz37qpypz37qpypz37qpypz37qpypz]: javascript:alert(1)

i forgot a [

[kkthxbye-code]

Duplicate of #4717 - the recommended solution for python-markdown is to filter the html with bleach. Another solution could be to swap it out for another parser that enforces rules for links. Third option would be to try to patch the regex filter in render_markdown.

You don't have to do all that weird stuff he's doing in the payload though, a simple example like this should work:

[test
test](javascript:alert(0))

[DanSheps]

That does not work, at least under a normally configured instance

[DanSheps]

Found the hole...

So, you need to use a reference style link:

# Does not work
[Test](javascript:alert(1))


# Does work
[Test 2][ref]

[ref]: javascript:alert(1)

[kkthxbye-code]

You are misunderstanding the one I posted. You need the newline to bypass the regex.

I verified on both docker and local versions, also you can see it here on the demo instance.

https://demo.netbox.dev/dcim/devices/17/

Again, it's all mentioned in the duplicate issue I linked. The reference style version is new though I guess, but not really the main issue.

[DanSheps]

Yes, but if you look at the reference style, that is exactly the style that he is using (he just omited the actual link and only included the reference)

So it looks like both methods do bypass the allowed URL schemes.