CVE-2024-22417 Information
Description
Whoogle Search is a self-hosted metasearch engine. In versions 0.8.3 and prior the element method in app/routes.py does not validate the user-controlled src_type and element_url variables and passes them to the send method which sends a GET request on lines 339-343 in requests.py. The returned contents of the URL are then passed to and reflected back to the user in the send_file function on line 484 together with the user-controlled src_type which allows the attacker to control the HTTP response content type leading to a cross-site scripting vulnerability. An attacker could craft a special URL to point to a malicious website and send the link to a victim. The fact that the link would contain a trusted domain (e.g. from one of public Whoogle instances) could be used to trick the user into clicking the link.The malicious website could for example be a copy of a real website meant to steal a person’s credentials to the website or trick that person in another way. Version 0.8.4 contains a patch for this issue.
Reference
https://securitylab.github.com/advisories/GHSL-2023-186_GHSL-2023-189_benbusby_whoogle-search/
https://github.com/benbusby/whoogle-search/commit/3a2e0b262e4a076a20416b45e6b6f23fd265aeda
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/request.py#L339-L343
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L465-L490
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L466
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L476
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L479
https://github.com/benbusby/whoogle-search/blob/92e8ede24e9277a5440d403f75877209f1269884/app/routes.py#L484C6-L484C7
Whoogle
Search
is
a
self-hosted
metasearch
engine.
In
versions
0.8.3
and
prior
the
element
method
in
app/routes.py
does
not
validate
the
user-controlled
src_type
and
element_url
variables
and
passes
them
to
the
send
method
which
sends
a
GET
request
on
lines
339-343
in
requests.py.
The
returned
contents
of
the
URL
are
then
passed
to
and
reflected
back
to
the
user
in
the
send_file
function
on
line
484
together
with
the
user-controlled
src_type
which
allows
the
attacker
to
control
the
HTTP
response
content
type
leading
to
a
cross-site
scripting
vulnerability.
An
attacker
could
craft
a
special
URL
to
point
to
a
malicious
website
and
send
the
link
to
a
victim.
The
fact
that
the
link
would
contain
a
trusted
domain
(e.g.
from
one
of
public
Whoogle
instances)
could
be
used
to
trick
the
user
into
clicking
the
link.The
malicious
website
could
for
example
be
a
copy
of
a
real
website
meant
to
steal
a
person’s
credentials
to
the
website
or
trick
that
person
in
another
way.
Version
0.8.4
contains
a
patch
for
this
issue.