XSS using extension homepage field
I'm manually copying this from https://gitlab.gnome.org/Teams/Releng/security/-/issues/21.
Original reporter: Fabian Bräunlein
Area: Platform component
Message
Dear Gnome Security Team,
I would like to report a stored XSS in https://extensions.gnome.org.
Vulnerability
- Missing validation of the "Extension Homepage" URL field leading to stored Cross-Site-Scripting via the "javascript:" URI scheme (PoC Screenshot [1])
- The review page of the app is already publicly available (see attached PoC screenshot from incognito window)
- Exploited when either a reviewer is clicking the link, or the public review page is shared and another user clicks the link
Impact
- Session hijacking/Account takeover, with the following peculiarities:
- When a reviewer clicks the link during the review process, this probably also allows approving other requests or even modify existing extension code.
- When a logged-in user owning extensions clicks the link, an update introducing a subtle backdoor could be submitted for review.
- Communicate with "GNOME Shell integration" browser extension
- As we can execute arbitrary JavaScript from an origin accepted by the browser extension, we can send abitrary commands to it, which in turn results in sendNativeRequest calls. This allows e.g. listing/enabling extension, or triggering an install/uninstall.
Recommendation
- Validate Website URL using an AllowList (only allowing the "https://" and possibly "http://" URI scheme)
Let me know if you need any more details or I can help otherwise!
Cheers, Fabian