White-listed style attribute for table contents in MD enables UI redressing
From external security tests, https://gitlab.com/gitlab-com/infrastructure/issues/2438:
- Effort: Low
- Impact: Low
- Location: Markdown
It was discovered that the Gitlab markdown parser (i.e. for rendered MD files and alike) removes style attributes to avoid UI redressing attacks. This is a safe default and recommended. However,
<TD> elements (and seemingly only these) can in fact be applied with style attributes for unknown reasons. This allows an attacker to create styles for a
<TD> element that produce an absolutely positioned overlay that can be used for Phishing and UI redressing purposes. The following example snipped illustrates the Markdown necessary for a PoC attack.
<table><tr><td style="position: fixed; top: 0px; left: 0px; height: 50px; width: 50px; background: red; z-index: 999; font-size: 36px;"> <div>Please click <u>here</u> to legitely change your passwerd.</div> </td></tr></table>
Note that the attacker can also overlay existing links with transparent panels and thus can have every click a user performs redirected to a different origin.
- Create a file with the sample HTML content seen above
- Upload that file to a repository in Gitlab
- Click on the uploaded file to render it
No element should have the possibility to carry style attributes. If style attributes are necessary, a CSS sanitizer should be utilized that prohibits the use of positioning directives and transparency properties.