ReadiumJS Cloud Reader — Everybody Gets an XSS!
Stumbling upon an XSS paradise.
Introduction
Late last year, I participated in a bug bounty programme organized by Singapore's Ministry of Defence (MINDEF) where I received the Top Bug Bounty Hunter award (yay!).
Finding these bugs required a deep dive into the targets and their underlying technologies. This meant that, among other things, I learnt about the existence of the EPUB format and the world of EPUB cloud readers.
This led me to discover a (surprisingly, somewhat known) XSS vulnerability in the Readium cloud reader that affects many university websites and online libraries.
I have attempted to get in touch with the maintainers to remediate the issue, but have not yet received any response. Going by the conventional 90-day disclosure timeline, I am now sharing details on this vulnerability.
What is an EPUB? What is a Readium?
The EPUB format is an XML-based ebook format created by the International Digital Publishing Forum (IDPF). It is one of the major ebook formats around today. Unlike other proprietary formats such as Amazon's Kindle KF8, the EPUB format is vendor-independent.
The Readium project was started by IDPF, and is one of the cited EPUB readers on the W3 website.
To see it in action, we can visit the Readium cloud reader demo. We can quickly see that the cloud reader renders iframe
s containing pages of the ebook.
Each page is fetched from the location indicated in data-src
and converted into the final rendered HTML. The pages are XHTML files and are called EPUB content documents. For example, page 1 of La Page Blanche contains the following content.
Popping Alerts
First of all, we could see that the iframe
does not have the sandbox
attribute present. This means that any scripts firing within the iframe
would execute on the same origin as its src
.
Readium will create a Blob
containing the page data and create a new blob:
URL for it (source). This is the URL that the frame src
is set to (source).
Unfortunately, this means that the iframe
's origin will always be that of the parent page.
Stored XSS
Suppose we are able to upload an ebook to an online library using Readium. We might upload a malicious EPUB that runs some evil JavaScript. Any user that opens our ebook would then have their account compromised.
To create such an EPUB, I copied an example EPUB from the Readium demo and changed the home page. An example PoC can be found here.
Note that we are using x:script
to make the payload work with XHTML parsers.
Reflected XSS
The above scenario requires us to have privileges on the target site to upload arbitrary EPUBs and serve them to other users. It turns out, however, that the cloud reader is able to load remote EPUBs as well.
The cloud reader uses medialize/URI.js to normalize the epub
query parameter, which is a relative URL (source).
However, when ebookURL
is an absolute URL, absoluteTo
retains the original base URL.
This means that by simply passing our hosted exploit URL to the epub
query parameter, we have a reflected XSS! This does not require us to have any permissions on the target site.
Using the example PoC on the Readium demo should pop an alert:
https://readium.firebaseapp.com/?epub=https://zeyu2001.github.io/readium-xss/
Who Uses Readium?
The Readium cloud reader is a rather old project. While more recent and popular cloud readers have been developed, some sites still use the Readium cloud reader, including the IDPF's own website and several university sites.
I have made best effort attempts at identifying these sites (e.g. through Google dorking) and reaching out to the responsible teams to remediate this vulnerability before the release of this post.
The sites that have since remediated the vulnerability include the University of Minnesota's College of Education and Human Development website, which no longer contains the cloud reader page.
Known Issue?
Interestingly, after doing some digging, I found that this was somewhat of a known issue. This documentation explains the issue.
One should note that if a cloud reader aims to support JavaScript, all publications will at least share the same database, which means it is possible for an author to access data that originated in a different publication.
However, it leaves only the following suggestions to mitigate the vulnerability.
Currently, the only options to protect against attacks (see "Security Concerns" section) are:
iframe
sandboxing;the Content Security Policy;
the Feature Policy.
These suggestions are not implemented in the default installation of readium-js-viewer.
Remediation
Since this is quite an old project, the best remediation might be to move to a more modern cloud reader. If Readium needs to be used, the iframe
s on the page should have the sandbox
attribute set.
Additionally, the page's Content Security Policy can be used to restrict where scripts can be loaded from.
Disclosure Timeline
11 October 2022: Contacted maintainers through OSS platform huntr.dev
16 December 2022: Contacted maintainers through GitHub issue
27 January 2022: This blog post is released
12 April 2023: CVE-2023-24720 assigned
Last updated