GHSL-2021-032: Template object injection in Mailtrain - CVE-2021-27136

Coordinated Disclosure Timeline

• 03/02/2021: Report sent to Vendor
• 10/02/2021: Report sent again to a different contact address due to lack of response.
• 24/02/2021: Report sent again to a different contact address due to lack of response.
• 30/03/2021: Created a public issue asking for a contact address.
• 07/04/2021: Maintainer mentioned that branch v1 is deprecated.
• 08/04/2021: Maintainer deprecated the vulnerable branch

Summary

Dangerous usage of the template rendering API may lead to Cross Site Scripting (XSS), file disclosure, and Remote Code Execution (RCE).

Product

Mailtrain

Tested Version

Master branch at commit 281072ac1bb43d539f6dd13ceed6390a8581c248.

Details

Template object injection

Passing attacker supplied objects to the res.render method leads to several security problems such as XSS and file disclosure as demonstrated in the proofs of concepts. The way in which this exploit works is by overwriting internal configuration variables of the rendering engine such as settings.views, with attacker supplied values (in this PoC we have used req.query but any source of data can be used).

There is a non trivial amount of places in which user influenced objects land in a call to res.render. We have used CodeQL to identify potential places that need attention.

From the results of the query we have selected /routes/lists.js to illustrate the issue but there are more cases that behave similarly:

router.get('/create', passport.csrfProtection, (req, res) => {
    let data = tools.convertKeys(req.query, {
        skip: ['layout']
    });

    data.csrfToken = req.csrfToken();

    if (!('publicSubscribe' in data)) {
        data.publicSubscribe = true;
    }

    data.unsubscriptionModeOptions = getUnsubscriptionModeOptions(data.unsubscriptionMode || lists.UnsubscriptionMode.ONE_STEP);

    res.render('lists/create', data);
});

In the above code we can see that the object data is populated with content coming from the req.query objects which is in turn parsed from the URL. This allow an attacker to craft complex objects that will be supplied to the rendering engine.

XSS Proof of Concept.

An authenticated user can be tricked to open the following URL that will execute arbitrary JavaScript code in the context of the user.

http://localhost:3000/lists/create?indexPage=true&shoutout=<script>alert("XSS")</script>

File disclosure

An authenticated user can disclose the content of arbitrary files in the system. The following URL will show the contents of the file /app/setup/mailtrain.conf.

http://localhost:3000/lists/create?indexPage=true&shoutout=goose&settings[views]=/app/setup/&settings[view%20options][layout])=mailtrain.conf

Impact

The impact of this vulnerability depends on the underlying template rendering in use. We have verified that XSS and file disclosure are possible but remote code execution cannot be completely discarded.

CVE

• CVE-2021-27136

Resources

• A single instance of the vulnerability got published by another party: https://arjunshibu.tech/intro-to-open-source-bug-bounty/
• One instance of the vulnerability got addressed: https://github.com/Mailtrain-org/mailtrain/pull/1029/files

Credit

This issue was discovered and reported by GHSL team member @agustingianni (Agustin Gianni).

Contact

You can contact the GHSL team at securitylab@github.com, please include a reference to GHSL-2021-032 in any communication regarding this issue.