I’m quite busy with bug bounties lately, but sometimes I still discover stuff, which might also be interesting for the rest of you ;-). So here’s quick writeup about a quite interesting vulnerability in the open source Slack-alternative Mattermost, which I have found in December last year and coordinated with the Mattermost team. You can also read about the full advisory here - make sure you update your Mattermosts asap.
A prepared link could look like the following:
This inserts the value of the “link” parameter in the response body:
But when you click on the link, which should pop up the Base64 payload, nothing happens and your browser debugger will show an error like the following:
To be honest I haven’t spend much time into analyzing this because it doesn’t seem to be very auto-exploitable due to the origin mismatch, but luckily the same error page does also suffer from multiple other content injections, which in the end lead to a fully customizable error page. The other elements that are present on the error page like the title, the text of the link as well as the body message itself, can also be set via their corresponding GET parameters “title”, “linkmessage” and “message”: