White-listed style attribute for table contents in MD enables UI redressing
From external security tests, https://gitlab.com/gitlab-com/infrastructure/issues/2438:
- Effort: Low
- Impact: Low
- Location: Markdown
Details
It was discovered that the Gitlab markdown parser (i.e. for rendered MD files and alike) removes style attributes to avoid UI redressing attacks. This is a safe default and recommended. However, <TH>
and <TD>
elements (and seemingly only these) can in fact be applied with style attributes for unknown reasons. This allows an attacker to create styles for a <TH>
or <TD>
element that produce an absolutely positioned overlay that can be used for Phishing and UI redressing purposes. The following example snipped illustrates the Markdown necessary for a PoC attack.
<table><tr><td style="position: fixed; top: 0px; left: 0px; height:
50px; width: 50px; background: red; z-index: 999; font-size: 36px;">
<div>Please click <u>here</u> to legitely change your passwerd.</div>
</td></tr></table>
Note that the attacker can also overlay existing links with transparent panels and thus can have every click a user performs redirected to a different origin.
Reproduction Steps
- Create a file with the sample HTML content seen above
- Upload that file to a repository in Gitlab
- Click on the uploaded file to render it
Recommendation
No element should have the possibility to carry style attributes. If style attributes are necessary, a CSS sanitizer should be utilized that prohibits the use of positioning directives and transparency properties.