ReadiumJS Cloud Reader — Everybody Gets an XSS!
Stumbling upon an XSS paradise.
Last updated
Was this helpful?
Stumbling upon an XSS paradise.
Last updated
Was this helpful?
Late last year, I participated in a bug bounty programme organized by Singapore's where I received the (yay!).
Finding these bugs required a deep dive into the targets and their underlying technologies. This meant that, among other things, I learnt about the existence of the and the world of EPUB cloud readers.
This led me to discover a (surprisingly, somewhat known) XSS vulnerability in the cloud reader that affects many university websites and online libraries.
I have attempted to get in touch with the maintainers to remediate the issue, but have not yet received any response. Going by the conventional 90-day disclosure timeline, I am now sharing details on this vulnerability.
First of all, we could see that the iframe does not have the sandbox attribute present. This means that any scripts firing within the iframe would execute on the same origin as its src.
Unfortunately, this means that the iframe's origin will always be that of the parent page.
Suppose we are able to upload an ebook to an online library using Readium. We might upload a malicious EPUB that runs some evil JavaScript. Any user that opens our ebook would then have their account compromised.
Note that we are using x:script to make the payload work with XHTML parsers.
The above scenario requires us to have privileges on the target site to upload arbitrary EPUBs and serve them to other users. It turns out, however, that the cloud reader is able to load remote EPUBs as well.
However, when ebookURL is an absolute URL, absoluteTo retains the original base URL.
This means that by simply passing our hosted exploit URL to the epub query parameter, we have a reflected XSS! This does not require us to have any permissions on the target site.
Using the example PoC on the Readium demo should pop an alert:
https://readium.firebaseapp.com/?epub=https://zeyu2001.github.io/readium-xss/
The Readium cloud reader is a rather old project. While more recent and popular cloud readers have been developed, some sites still use the Readium cloud reader, including the IDPF's own website and several university sites.
I have made best effort attempts at identifying these sites (e.g. through Google dorking) and reaching out to the responsible teams to remediate this vulnerability before the release of this post.
One should note that if a cloud reader aims to support JavaScript, all publications will at least share the same database, which means it is possible for an author to access data that originated in a different publication.
However, it leaves only the following suggestions to mitigate the vulnerability.
Currently, the only options to protect against attacks (see "Security Concerns" section) are:
iframesandboxing;the Content Security Policy;
the Feature Policy.
Since this is quite an old project, the best remediation might be to move to a more modern cloud reader. If Readium needs to be used, the iframes on the page should have the sandbox attribute set.
Additionally, the page's Content Security Policy can be used to restrict where scripts can be loaded from.
16 December 2022: Contacted maintainers through GitHub issue
27 January 2022: This blog post is released
12 April 2023: CVE-2023-24720 assigned
The EPUB format is an XML-based ebook format created by the . It is one of the major ebook formats around today. Unlike other proprietary formats such as Amazon's Kindle KF8, the EPUB format is vendor-independent.
The project was started by IDPF, and is one of the cited EPUB readers on the .
To see it in action, we can visit the Readium cloud reader . We can quickly see that the cloud reader renders iframes containing pages of the ebook.
Each page is fetched from the location indicated in data-src and converted into the final rendered HTML. The pages are XHTML files and are called EPUB . For example, page 1 of La Page Blanche contains the following content.
Readium will create a Blob containing the page data and create a new blob: URL for it (). This is the URL that the frame src is set to ().
To create such an EPUB, I copied an example EPUB from the Readium demo and changed the home page. An example PoC can be found .
The cloud reader uses to normalize the epub query parameter, which is a relative URL ().
The sites that have since remediated the vulnerability include the , which no longer contains the cloud reader page.
Interestingly, after doing some digging, I found that this was somewhat of a known issue. documentation explains the issue.
These suggestions are not implemented in the default installation of .
11 October 2022: Contacted maintainers through OSS platform
