Links in topic titles override topic link


(Steven J, WTDWTF) #1

Found on WTDWTF

  1. Create a topic with HTML in the title - for example, <a href="https://google.com">Topic Title</a>
  2. Attempt to “Reply as linked Topic” to the topic in #1
  3. The link to the original will go to google.com instead of the original topic

http://what.thedailywtf.com/t/i-wonder-if-this-will-work-pt-2/37124

Putting a link in the topic title allows you to override the “Continuing the discussion from…” link, allowing it to go to an arbitrary destination…

EDIT: Almost forgot - Credit @abarker and @onyx for this as well.


#2

This is just one example of a wider issue: the HTML isn’t sanitised at all when folded into the new topic OP.


#3

This vulnerability extends to more than just links. For example, we also demonstrated issues with images. More details on repro steps are available at WTDWTF, or can be provided on request.


(Mr.Burns avatar therefor TDWTF) #4

And here is a link to a more centralized note on this:


(Robin Ward) #5

I’ve got a fix here:

https://github.com/discourse/discourse/commit/914dd2dd8d2ffd3c17f94f625a21a90fd096969e

Correct me if I’m wrong guys, but it doesn’t seem like a “SECURITY” level fix, as all it does is allows you to try and create a markdown link with bad HTML, which is run through our sanitizer anyway.


(Steven J, WTDWTF) #6

It’s not a conventional XSS security issue, but from a social engineering/ux perspective, people expect that link to be one thing, and if it isn’t, that can be bad (fake sites, phishing, etc).


(Robin Ward) #7

Thanks for reporting it and for the clarification. I just wanted to make sure I didn’t miss a major security hole here :smile:


(Mr.Burns avatar therefor TDWTF) #8

While that is a security hole I don’t know if it is big enough for the kind of emergency fix push that a normal security hole would.


(Steven J, WTDWTF) #9

Agreed. It shouldn’t be super-urgent, especially given that you really could do that anyways (this just makes it much easier/more hijjackable)


(Sam Saffron) #10

Seems to be working now… closing


(Sam Saffron) #11