HTML Injection

[gpsilv4]

The application at data.gouv.fr is vulnerable to Persistent HTML Injection, via PUT and POST, in:

• /api/1/organizations/ (Administration > + > An organization)
• /api/1/organizations/< xxx >/ (right panel > select an organization > Edit )
• /api/1/datasets/ (Admin > + > A dataset)
• /api/1/datasets/xxx/ (right side panel > select a dataset > Edit )
• /api/1/reuses/ (Admin > + > One reuse)
• /api/1/reuses/xxx/ (right side panel > select a dataset > Edit )

The application fails to sanitize the Description parameter, allowing the injection of HTML that will be executed when the user visits the pages:

• /fr/organizations/< organization name >/
• /fr/datasets/< organization name >/
• https://data.gouv.fr/reuses/< organization name >/

HTML Injection vulnerabilities arise when data submitted by a user is used in subsequent application responses in an insecure way. An attacker can use this type of vulnerability to build a valid URL (with injected HTML), which could facilitate other attacks, namely Phishing.

Suggestion:
All data submitted by users must be properly sanitized and filtered, on the server side, before being returned to users.

[maudetes]

We are vigilant on XSS attacks and always sanitize user content to make sure malicious content never get executed.
See for example datagouv/data.gouv.fr#409 on injections mitigation on Vue delimiters.
This said, we may have missed a particular case and would be curious to discuss your findings in our up-comping conversation.