Responsible Disclosure: XSS in Codeberg Pages


Codeberg is a hip new code hosting site - similar to GitHub and GitLab. And, much like Gits Hub & Lab, users can serve static content through Codeberg pages.

Somehow I screwed up my configuration, and when I visited edent.codeberg.page/abc123 I got this error:

Screenshot of a 404 not found page. The name of the path is displayed on the page.

Now, whenever I see something from the request echoed into the page's source, my hacker-sense starts tingling. What happens if I shove an innocent HTML element into the URl?

edent.codeberg.page/abc<em>123

Screenshot of the same page. Half the text is italic.

Aha! It lets through some HTML. I wonder which other elements it lets through? Let's try...

edent.codeberg.page/abc<img src="https://placekitten.com/640/640">123

Screenshot showing a broken image icon.

Ah nuts! Let's look in to the source code to see what went wrong:

Screenshot of HTML code. The URl is truncated at the colon.

It seems that the back end code has some protection. It strips all / characters. That makes it impossible to inject a working <script> element because there will never be a </script> to close it.

We can't even use my favourite little trick of Base64 encoding the contents of an <iframe>:

<iframe src="data:text/html;base64,PHNjcmlwdD5hbGVydCgiWFNTISIpOzwvc2NyaXB0Pg==">

Manually removing the / led to this:
Screenshot of a page with an iframe. It displays some Javascript in plain text.

No forward slashes makes things like <svg> injection difficult - if not impossible. Hmmm... what can we do...? I know!

The onerror event handler.

test.codeberg.page/abc<img src=1 onerror=alert("xss") ;

An XSS pop up alert on a webpage.

Boom!

Let this be a lesson to you - always sanitised user-supplied content, no matter how innocuous it seems.

Timeline

  • 2022-12-02 Discovered. Emailed support, got a secure address to email, sent disclosure.
  • 2022-12-05 Tested and discovered that it had been fixed.
  • 2023-01-02 Blog post automatically published.

Share this post on…

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">