Various XSS, including via page titles in about:overview (CVE-2021-45085, CVE-2021-45086, CVE-2021-45087, CVE-2021-45088)
We received the following report via WebKit Bugzilla:
Specifics
The specifics of my browser- Browser: epiphany (https://wiki.gnome.org/Apps/Web) Version 40.3 WebKitGTK: 2.32.4 Build Date: Fri 13 Aug 2021 03:59:58 +0545
Description
The browser in its default page (ephy-about:overview) displays the most visited sites/pages which include a thumbnail preview of the page and the title. The title, however, isn't sanitized/encoded before being inserted in the DOM, leading to XSS.
Reproduction Steps
It might need frequent visits to a site with an XSS payload in its title. So, please be patient or see the source code on how it's being inserted. I have set up a page with XSS in the title for easier reproduction.
- Visit https://cm2.pw/title
- You can remove existing ones from ephy-about:overview to bring the recently visited page in the view
- When you see the page in ephy-about:overview, just open a new tab
You should see a pop-up.
Impact
Since the XSS in ephy-about:// and assuming that it's a privileged page, it completely bypasses the SOP. If there's a need for a POC, please let me know and I'd be happy to come-up with one.
Additional Details
User-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0 Safari/605.1.15 DOM: Attached as dom.html Screenshot: Attached as ephy-xss.png
Alas, insufficient input validation. :( It's not more input validation we need. Problem is missing output encoding.