New research finds online text editor Etherpad has security vulnerabilities that could allow hackers to remotely compromise a victim’s server to steal sensitive information. Paul Gerste, vulnerability researcher at SonarSource discovered the two vulnerabilities CVE-2021-34817 and CVE-2021-34816 in the editor. He listed it as ‘critical’ due its possibility to remotely compromise servers.
A cross-site scripting flaw (XSS) enables attackers to create a malicious shared document, or ‘pad’, that could possibly execute an attacker-controlled code in the victim’s browser. This allows assailants to read, create, or modify data. Another noted vulnerability is an argument injection bug. It grants attackers with administrative access to execute arbitrary code on the server through plugins from a compromised URL.
The Etherpad version 1.8.14 has the XSS vulnerability fixed, but the argument injection vulnerability remains unpatched. However, the researchers said it is “significantly harder” to exploit on its own.
A blog post released on Tuesday states that Etherpad has more 250 plugins available and features a version history as well as a chat functionality. It is particularly popular within the open source community and has been bookmarked more than 10,000 times by users.
A report in The Daily Swig has quoted Gerste saying, vulnerabilities are serious when chained, but there are limitations to their exploitation. “Instances with default configuration are vulnerable. The attacker needs to be able to import a pad, so if the Etherpad instance is publicly accessible and pad creation is not restricted, then it is vulnerable,” Gerste said.
Regarding the argument injection vulnerability, he had said, “This can only be exploited if an admin account exists, which is not the case in a default configuration. Therefore, an attacker can abuse the vulnerability if they compromise an administrator’s account – which can be achieved either via exploitation of the XSS vulnerability “or by other means”.
Gerste said that the maintainers of the project were quick to respond to his report and “took the matter seriously”, although they have only fixed one of the issues so far.
“Since people can publish plugins via NPM, attackers could always find a way to introduce malicious code, so admins should always be careful which plugins they install.”