More security issues with uploaded templates


#1

I recently posted about a security problem caused by the “same origin” of the iframe that is used on the preview window of the the page builder: https://community.unbounce.com/unbounce/topics/possible-security-hole-in-unbounce

The Unbounce team is still fixing that - but the problem is deeper than just that. 

The Unbounce app allows users to upload and download custom made templates by any one - that includes all the template elements also custom JS scripts - this fact forces Unbounce to follow some strict security protocols concerning JS:

  • Sandboxing js - execution only in preview page.
  • No custom script execution inside the builder page.
    The first one is problematic and is discussed in the first post mentioned above. The second one is vulnerable two :confused:

First, the reason there should not be any script execution in the builder is because a template author may include a script that steals your cookies with your emails, session token etc… and can log as the uploader to his account and : change passwords, steal content, steal leads etc…

I found two ways (may be more) to create a template with a script that will execute immediately when the user enters the builder page:

Injecting the script through the text editor:

The editor don’t allow you to include none text elements or add scripts to the text source HTML code, but it allows inline js on text elements such as 

As you can see this is fully supported by the text editor and will be saved in the page builder DOM - normally text editors filters elements attributes but not in this case.

  
**

Injecting the script through the elements name: **
Even easier than using the editor is injecting scripts directly to the elements titles (in the tree view on the left) - Most of the “name displaying” elements in the Unbounce app escape HTML tags but not in this case: 


Those are pretty serious issues since Unbouce is getting bigger and a lot of users are seeking for new templates and even purchasing them. An attacker can easily exploit those weaknesses to take over accounts and causing harm to commercial users and private users.

Consider that a script embedded in a template that will execute immediately when the use clicks the “edit” button can send data easily using ‘XMLHttpRequest’ object in a quick line of code and there are several more ways to hijack the cookies and user information once you can execute the scripts.

Your thoughts please.


#2

Hi Shlomo,

First off, thanks so much for taking the time to find these security issues in our page builder.  I appreciate you being so thorough about showing us exactly where the vulnerabilities are; it’s a big help.  In this case, we were aware of and are already working on a fix that should be out in the next week or so.

Going forward, I’m hoping you’ll see the merit in reporting these to us directly instead of through our user forums.  We’re big fans of transparency here at Unbounce, and the goal isn’t to stop these vulnerabilities from reaching the community - we just want to have the chance to address and fix them before someone uses these exploits in a malicious manner. 

We’ll send you an email so you have a direct point of contact with our team in the future. 

Thanks again, Shlomo!


#3

Hi Carl,

I’m always happy to help I’m a developer and I’m finishing a few templates that are published in the envato market - Those issues just popped while experimenting with the app - I also don’t think those kind of posts should be instantly public - but if you read my comments in the second thread you will see I tried to reach to you but did not get a response.

A direct email will be great since there are two more issues that I will be happy to report about.

Regards 


#4

It’s a constant battle to close holes and still keep up with the needs of the Unbounce community and the additional features that we all want. 

While I really love that we can purchase templates from external sources I do think the only true way forward to ensure there is no malicious code or intent would be to have them reviewed and tested by Unbounce themselves.

While there are some of the community who would be able to identify these kind of exploits the marketing strategy of “build you landing pages without a web designer” is targeting a less technical audience who perhaps wouldn’t even notice it happening.

I think templates should have a “seal of approval” directly from an Unbounce Template Quality Team.

I know that sounds expensive from a business perspective but its about trust and safety.

Thanks

Stuart
:slight_smile:


#5

Sent you an email, Shlomo. 


#6

Interesting thought process, Stuart. We were having this _exact_conversation internally, just yesterday. 

On one hand, we completely agree. This manual process of scrubbing through the templates would be the most ideal solution. On the other hand, it would take a huge amount of bandwidth to do so; not initially, but when users update their templates periodically on third-party sites such as Themeforest, it will become increasingly hard to track. Some authors update their templates more than others, so it might prove difficult to track who_is updating their templates and when,_then circle back and get that seal of approval for each iteration (kind of like the Apple App Store).

We’re currently in talks to fix this specific issue in the meantime, but it would be great if we could also figure out a way to tackle the ‘Unbounce Seal of Approval’ situation. I think that has huge potential. :slight_smile: