XSS and Argument Injection Flaws Found in Popular Etherpad Collaboration Tool
Researchers discovered two vulnerabilities in Etherpad, an open-source collaborative real-time editor that allows multiple authors to simultaneously edit a text document. The vulnerabilities can lead to theft or manipulation of documents being edited; and to theft, modification or deletion of all data, and to targeting other internal systems that are reachable from the server.
Etherpad has thousands of deployments worldwide, and millions of users. It can be hosted locally, or used through third-party public instances. The first vulnerability (CVE-2021-34817), found and described by researchers at SonarSource, is an XSS flaw that allows an attacker to take over a user account, including admins, and gain access to the document.
The second flaw (CVE-2021-34816) is an argument injection vulnerability that allows an attacker to execute arbitrary code and system commands to fully compromise the Etherpad instance and its data. This second flaw requires an admin account, which is not a default setting. However, if one exists, the two vulnerabilities can be chained by the attacker to first compromise an admin and then to use the admin privileges to execute arbitrary code on the server.
The XSS flaw exists in the Etherpad chat feature. Messages are stored and available on the server. When a user opens a pad, the chat messages are brought to the front end with HTML elements. During this process, the userId property of a message is inserted into the DOM without properly escaping special characters. An attacker could inject malicious JavaScript into the chat history, which would then be executed. “This enables an attacker,” say the researchers, “to initiate further attack requests in the browser context of the admin.”
The argument injection flaw involves Etherpad’s admin area where admins can manage plugins, edit settings, and view system information. When a new plugin is to be installed, its name is sent to the backend where the corresponding NPM plugin is called and installed. By first hijacking an admin account via the XSS flaw, the attacker can manipulate this process to specify a malicious package from the NPM repository or to simply use a URL that points to a package on the attacker’s server.
The flaws were reported by the SonarSource researchers to Etherpad on April 6, 2021 and confirmed by Etherpad on the same day. The XSS flaw was fixed by April 8, 2021 and released within Etherpad version 1.8.14 on July 4, 2021. The argument injection flaw has not so far been fixed, but is harder to exploit without the XSS flaw.
The researchers believe that the vulnerabilities may have been present within Etherpad since at least version 1.7.0. It is important that all Etherpad users who have not yet updated to version 1.8.14 do so as soon as possible.
SonarSource is a code analysis firm headquartered in Geneva, Switzerland. It was founded by Olivier Gaudin (CEO), Freddy Mallet (angel investor), and Simon Brandhof (technical lead) in 2008, and raised $45 million from Insight Venture Partners in 2016. In May 2020 it acquired German startup RIPS Technologies, known for its PHP, Java and JavaScript analyzers.
Related: XSS Vulnerability in Cisco Security Products Exploited in the Wild
Related: Stored XSS Vulnerability on iCloud.com Earned Researcher $5,000
Related: Google Launches Database for Open Source Vulnerabilities
Related: Open Source Security Management Firm WhiteSource Raises $75 Million