Important Flaws Reported in Etherpad — a Standard Google Docs Various

Google Docs Alternative

Cybersecurity researchers have disclosed new safety vulnerabilities within the Etherpad textual content editor (model 1.8.13) that might doubtlessly allow attackers to hijack administrator accounts, execute system instructions, and even steal delicate paperwork.

The 2 flaws — tracked as CVE-2021-34816 and CVE-2021-34817 — had been found and reported on June 4 by researchers from SonarSource, following which patches have been shipped for the latter in version 1.8.14 of Etherpad launched on July 4.

Etherpad is a real-time collaborative interface that allows a doc to be edited concurrently by a number of authors. It’s an open-source various to Google Docs that may be hosted by yourself servers.

“The XSS vulnerability permits attackers to take over Etherpad customers, together with admins. This can be utilized to steal or manipulate delicate knowledge,” SonarSource vulnerability researcher Paul Gerste said in a report shared with The Hacker Information.

Stack Overflow Teams

“The argument injection vulnerability permits attackers to execute arbitrary code on the server, which might enable [them] to steal, modify or delete all knowledge, or to focus on different inner techniques which are reachable from the server.”

Particularly, the XSS vulnerability (CVE-2021-34817) resides within the chat function supplied by Etherpad, with the “userId” property of a chat message — i.e., a singular identifier related to a doc creator — rendered on the front-end with out correctly escaping particular characters, thus allowing an adversary to insert a malicious JavaScript payload into the chat historical past and carry out actions as a sufferer consumer.

CVE-2021-34816, however, pertains to how Etherpad manages plugins, whereby the identify of the package deal to be put in by way of the “npm install” command isn’t adequately sanitized, resulting in a state of affairs that might enable an attacker to “specify a malicious package deal from the NPM repository or to easily use a URL that factors to a package deal on the attacker’s server.”

The consequence of profitable exploitation of CVE-2021-34816 is the execution of arbitrary code and system instructions, thus fully compromising the Etherpad occasion and its knowledge.

Concerningly, each vulnerabilities could be chained collectively by an attacker first to take over an administrator account after which use these privileges to achieve a shell and execute malicious code on the server.

Prevent Ransomware Attacks

“Mounted a persistent XSS vulnerability within the Chat part,” Etherpad maintainers stated within the launch notes for model 1.8.14. “In case you may’t replace to 1.8.14 straight, we strongly suggest to cherry-pick [commit] a796811.” It is price stating that the argument injection vulnerability stays unpatched, though the researchers word that the flaw is “considerably tougher to take advantage of by itself.”

The analysis highlights “how vital knowledge validation and sanitization is for avoiding such flaws throughout improvement,” Gerste stated, including, “the smallest coding mistake could be the primary stepping stone for an attacker to launch additional assaults towards the software program.”

Etherpad customers are extremely suggested to replace their installations to model 1.8.14 to mitigate the danger related to the flaw.

Source link