Logo "alt" attribute not escaped; possible (self) XSS

[KevinGimbel]

Preconditions (*)

1. Magento 2.2.6 up and running

Steps to reproduce (*)

1. Go to Content -> Design -> Configuration
2. Edit a theme (doesn't matter which) by clicking "Edit"
3. Scroll down to "Header" and add the following to the Logo Image Alt field

" onload="javascript:alert('hello, world');

Notice the leading "

Expected result (*)

1. The alt attribute on the image is properly escaped

Actual result (*)

1. The single double quote closes the alt tag (")
2. The onload is added as attribute to the image which evaluates the javascript on load
3. "hello, world" is shown when the website loads

---

The problem is getLogoAlt() in Magento\Theme\Block\Html\Header\Logo.

    public function getLogoAlt()
    {
        if (empty($this->_data['logo_alt'])) {
            $this->_data['logo_alt'] = $this->_scopeConfig->getValue(
                'design/header/logo_alt',
                \Magento\Store\Model\ScopeInterface::SCOPE_STORE
            );
        }
        return $this->_data['logo_alt'];
    }

This function should escape all special characters like " to prevent this (self) XSS attack.

Here is the line in the code https://github.com/magento/magento2/blob/2.3-develop/app/code/Magento/Theme/Block/Html/Header/Logo.php#L73

[magento-engcom-team]

Hi @KevinGimbel. Thank you for your report.
To help us process this issue please make sure that you provided the following information:

• Summary of the issue
• Information on your environment
• Steps to reproduce
• Expected and actual results

Please make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, please, add a comment to the issue:

@magento-engcom-team give me $VERSION instance

where $VERSION is version tags (starting from 2.2.0+) or develop branches (for example: 2.3-develop).
For more details, please, review the Magento Contributor Assistant documentation.

@KevinGimbel do you confirm that you was able to reproduce the issue on vanilla Magento instance following steps to reproduce?

• yes
• no

[KevinGimbel]

@magento-engcom-team give me 2.2.6 instance

[magento-engcom-team]

Hi @KevinGimbel. Thank you for your request. I'm working on Magento 2.2.6 instance for you

[magento-engcom-team]

Hi @KevinGimbel, here is your Magento instance.
Admin access: http://34.228.235.121/i-19269-2-2-6//admin
Login: admin Password: 123123q
Instance will be terminated in up to 3 hours.

[KevinGimbel]

Reproduced on http://34.228.235.121/i-19269-2-2-6/

Screenshot of Home Page after doing the steps above

[magento-engcom-team]

Hi @engcom-backlog-nazar. Thank you for working on this issue.
In order to make sure that issue has enough information and ready for development, please read and check the following instruction: 👇

• 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

  Details

  If the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

• 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

• 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

• 4. Verify that the issue is reproducible on 2.3-develop branch

  Details

  - Add the comment @magento-engcom-team give me 2.3-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.3-develop branch, please, add the label Reproduced on 2.3.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

• 5. Verify that the issue is reproducible on 2.2-develop branch.

  Details

  - Add the comment @magento-engcom-team give me 2.2-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.2-develop branch, please add the label Reproduced on 2.2.x

• 6. Add label Issue: Confirmed once verification is complete.

• 7. Make sure that automatic system confirms that report has been added to the backlog.

[magento-engcom-team]

@engcom-backlog-nazar Thank you for verifying the issue. Based on the provided information internal tickets MAGETWO-96471, MAGETWO-96472 were created

[DanielRuf]

3. Scroll down to "Header" and add the following to the Logo Image Alt field

" onload="javascript:alert('hello, world');

This is not XSS. XSS is if someone (not an admin but a normal user) adds JavaScript to the URL / address bar (or forms) and it happens. Also just admins can edit this field.

[DanielRuf]

return $this->_data['logo_alt'];

This is the same in many other places. No (special) XSS here, just missing escaping. It is up to the admin who can edit this field / data.

In fact, this is not cross-site.

[DanielRuf]

See https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

A typical (reflected) XSS is for example something like search?q=><script>alert(window.location.hostname)</script>

[KevinGimbel]

@DanielRuf you're right, it's not XSS - my bad!

I still think it is a small attack vector even if it requires an admin to enter text - they could be tricked into copy-pasting very long alt texts which end in " onload=.... A simple escape prevents this.

[DanielRuf]

I still think it is a small attack vector even if it requires an admin to enter text - they could be tricked into copy-pasting very long alt texts which end in " onload=.... A simple escape prevents this.

Sure but this would be the case for every config field and for every CMS and WYSIWYG editor. Still the escaping makes sense but this specific case is not a real attack vector (never saw someone saying copy this long line of code for your alt text).

It's similar to your PayPal account was blocked, click this link to unblock and so on ;-)

[KevinGimbel]

Sure but this would be the case for every config field and for every CMS and WYSIWYG editor.
It is. That's why I am bringing this up. Every input must be validated and/or escaped properly.
Still the escaping makes sense but this specific case is not a real attack vector (never saw someone saying copy this long line of code for your alt text).

Just because you haven't seen it doesn't mean it does not happen. What if a non-technical person searches for ways to rank up in Google and they and up on a shady website that promises perfect alt texts for images based on AI-whatever-fancy-buzzwords. They might copy HTML into their alt texts; Said website might even offer a selection of what CMS they use to exploit such things. Just because you wouldn't make the mistake doesn't mean nobody else might do it.

If I, in any way, manage to inject a piece of JS into your site I can for example easily read out the Admin URL which is randomized since Magento 2. Or sent all cookies and localStorage to my server for analysis or processing.

It's similar to your PayPal account was blocked, click this link to unblock and so on ;-)

It is similar and people fall for these fishing emails and scams.

[DanielRuf]

If I, in any way, manage to inject a piece of JS into

Then social engineering is a bigger problem ;-)

But in general: you are right.

[magento-engcom-team]

Hi @KevinGimbel. Thank you for your report.
The issue has been fixed in #19270 by @ErikPel in 2.3-develop branch
Related commit(s):

• 42308ca83f7cf4f13ee762ff225b7f51d6cbbb4c
• 2d20343ce4b9b9cfae9be8ad76b19c91a72d9a3a
• be294e8af9507a4a33bea791ee03972bec7208d2

The fix will be available with the upcoming 2.3.1 release.