matrix
/
matrix.org
mirror of https://github.com/matrix-org/matrix.org.git
0
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
matrix.org/content/blog/2018/02/2018-02-09-security-update-...

27 lines
1.9 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

+++
title = "Security update: Riot/Web 0.13.5 released - fixing XSS vulnerability"
path = "/blog/2018/02/09/security-update-riotweb-0-13-5-released-fixing-xss-vulnerability"
[taxonomies]
author = ["Matthew Hodgson"]
category = ["Tech"]
+++
Hi all,
Heads up that we made an emergency release of Riot/Web 0.13.5 a few hours ago to fix a XSS vulnerability found and reported by walle303 - many thanks for disclosing it responsibly.
<strong>Please upgrade to Riot/Web 0.13.5 asap. If you're using <a href="https://riot.im/app">riot.im/app</a> or <a href="https://riot.im/develop">riot.im/develop</a> this simply means hitting Refresh; otherwise please upgrade your Riot deployment as soon as possible. </strong><a href="https://pkgs.alpinelinux.org/packages?name=riot-web&branch=edge">Alpine</a>, <a href="https://riot.im/desktop">Debian</a> and <a href="https://github.com/taw00/riot-rpm">Fedora/RPM</a> packages are already updated - huge thanks to the maintainers for the fast turnaround.
The issue lies in the relatively obscure external_url feature, which lets bridges specify a URL for bridged events, letting Riot/Web users link through to the 'original' event (e.g. a twitter URL on a bridged tweet).  The option is hidden in a context menu and labelled "Source URL", and is only visible on events which have the external_url field set.  Unfortunately Riot/Web didn't sanitise the URL correctly, allowing a malicious URL to be injected - and this has been the case since the feature landed in Riot 0.9.0 (Nov 2016).
If you're not able to upgrade to Riot/Web 0.13.5 for some reason, then please do not click on the 'Source URL' feature on the event context menu:
<a href="/blog/wp-content/uploads/2018/02/xss.png"><img class="aligncenter size-large wp-image-3001" src="/blog/wp-content/uploads/2018/02/xss-1024x352.png" alt="" width="1024" height="352" /></a>
Apologies for the inconvenience,
thanks,
Matthew
Reference in New Issue View Git Blame Copy Permalink