Headline

CVE-2021-4124: Cross-site Scripting (XSS) - Stored in janus-gateway

janus-gateway is vulnerable to Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

4 years ago

#xss #vulnerability #web #windows #js #git #java

Description

The stored XSS vulnerability occurs in the chat window because the user’s input value is inserted into the web page without verification.

                to: username,
                text: result
            };
            textroom.data({
                text: JSON.stringify(message),
                error: function(reason) { bootbox.alert(reason); },
                success: function() {
                    $('#chatroom').append('<p style="color: purple;">[' + getDateString() + '] <b>[whisper to ' + display + ']</b> ' + result);
                    $('#chatroom').get(0).scrollTop = $('#chatroom').get(0).scrollHeight;
                }
            });
        }
    });
    return;

The above code is the logic to input the participant’s chat into the chat window. But since it doesn’t convert the value of result to HTML Entity, it causes Stored XSS. This is a private feature. In other words, it is seen as a vulnerability of the website itself rather than a damage.

Proof of Concept

1. Open the https://janus.conf.meetecho.com/textroomtest.html * 2
2. Click the Start button * 2 (Simultaneous access to the chat window with two windows)
3. Click Participants, use the private chat feature and enter <img src=x onerror=alert(document.domain)>, <a href="javascript:alert(1)">xss</a>.
4. Then XSS occurs in the chat window.

Video : https://www.youtube.com/watch?v=bOOPCaNnIfI

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

Occurences