Uploaded image for project: 'Nuxeo Platform'
  1. Nuxeo Platform
  2. NXP-32526

#PT12068_3 - Content Spoofing Via Emails

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: Security, Security / Rights

      Description

      Server-Side Injection > Content Spoofing > Email Hyperlink Injection Based on Email Provider

      Proof of Concept

      1. Login into admin account on https://pentest.beta.nuxeocloud.com
      1. Create a file and go to permissions tab. Eg. https://pentest.beta.nuxeocloud.com/nuxeo/ui/#!/browse/default-domain/sections/test.html?p=permissions
      1. Now, share the file with external user and add "email" and message to be sent in email. Add some links or edit my file as follows:
      1. This triggers an email and link in the email is rendered.

      Suggested Fix

      Always ensure that email contents cannot be tampered with. Limit what the user can insert into the email by filtering special characters and limiting the amount of characters that can be inserted. Filter out any URLs as they are often rendered as links by email providers.

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              santony Sooraj Antony
              Participants:
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: