Details
-
Bug
-
Resolution: Fixed
-
Critical
-
7.4.4, 8.2.1, 8.3-milestone-1
-
None
-
N/A
-
N/A
-
Description
I've discovered a new kind of attack: target="_blank".
When you create a new link with the attribute target="_blank", the link is open in a new window. However, the page inside this new window can still control the previous window using javascript. Of course, some API are restricted, but window.location is not.
It means that the new website can redirect the initial window to a phishing page, that looks like the real XWiki, but actually ask for the credentials...
Apparently, this vulnerability is very common and badly known...
Some explanation: https://dev.to/phishing
XWiki is vulnerable to this. I have created a new page with this link:
[[https://dev.to/||target="_blank"]]
which is the syntax we suggest in our Help Guide.
When you click on it, the website dev.to is open in a new window, but in the same time, the first window is going to https://dev.to/phishing.
Fortunately, preventing this is easy. All we need to do is to add rel="noopener noreferrer" as an attribute of every link that already have target="_blank".
This could be done in our rendering system and also in the HTMLCleaner.
Attachments
Issue Links
- is related to
-
-
- Closed
-
-
XWIKI-13675 Upgrade Nu Validator to 16.6.29
-
- Closed
-
-
XCOMMONS-1058 HTMLCleaner should fix target="_blank" vulnerability
-
- Closed
-