pretix

Security release 1.6.2 of pretix

Aug. 21, 2017

During the last weeks, a number of security vulnerabilities have been found in pretix. We therefore just released versions 1.4.1, 1.5.2, and 1.6.2 of pretix that fix these problems. We strongly recommend that you to update your installation as soon as possible. If you are a customer of our hosted service, the vulnerabilities are already fixed for you and you do not need to take action.

#1: Unvalidated Redirect [MEDIUM]

In the authentication component there was the possibility to redirect the user to an arbitrary other page, for example by accessing /control/login?next=http://example.org/. This would only work if the user is already logged in. Similarly, a POST request to /<organizer>/<event>/cart/add?next=//example.org could redirect you to an external page since the URL validation did not catch schema-relative URLs.

This could be used as part of a phishing attack, by linking the user to an URL that appears to be trustworthy because it is on the domain of the pretix installation but then redirects to a third-party page that asks for login credentials again.

We fixed this problem by now properly checking all redirection URLs in all places.

Severity rating: Since this bug cannot lead to a violation of permissions or a data leakage but only to a wrong perception of trust, we assess the severity of this issue as medium.

Affected versions: All released versions of pretix are affected.

This issue has been found by Tom and Wojtek of ERNW GmbH. Thank you for reporting the issue to us!

#2: CSV Injection [MEDIUM]

In the pretix backend, it is possible to export various datasets like all order data in the CSV format. It is therefore possible for ticket buyers to insert arbitrary content into the CSV file. If the file is then opened by the user with specific versions of Microsoft Excel or LibreOffice, malicious macros included in the tables cells might be used to execute code on the user's computer or trick the user into executing code since the file comes from a trusted source. You can read more about this type of issue here.

We fixed this problem by sanitizing all CSV output in a way that prevents all such injections that are known to us. For this purpose, we created a new Python library defusedcsv.

Severity rating: Since this is arguably more of a security problem of Excel and LibreOffice, the implications on pretix' side are more related to the fact that the file is from a trusted source and users are therefore not expecting any risks like that. We therefore assess the severity of this issue as medium.

Affected versions: All released versions of pretix are affected.

This issue has been found by Tom and Wojtek of ERNW GmbH. Thank you for reporting the issue to us!

#3: XSS in quota, product and event names [MEDIUM]

When malicious code was inserted into the names of quotas, products or events, the code was not properly sanitized in about three places within the backend and one place within the frontend. While it takes high permissions in the application to insert this code, it could allow to take over the session of another backend user. The injection was hard to do since pretix uses Content Security Policy that forbids the execution of trivially inserted code in all supporting browsers.

We fixed this problem by properly sanitizing output in all affected places.

Severity rating: We are rating this issue as medium because it can only be exploited by users who already have high permissions and the explot will not run by itself in any modern browser. However, note that issue #5 in this post includes a Content Security Policy bypass rated high that would allow to still exploit this issue.

Affected versions: All released versions of pretix are affected at least by some degree.

This issue has been found by Tom and Wojtek of ERNW GmbH. Thank you for reporting the issue to us!

#4: XSS in question responses [HIGH]

When malicious code was inserted into the response to a free-text question, it would be executed in the admin backend on the page that shows a statistical overview of the given answer. This is due to both an escaping problem within pretix as well as an vulnerability in the JavaScript library used for charting the data. This would allow a ticket buyer to take over the session of an administrator or perform actions on their behalf.

Again, this issue is not easily exploitable in modern browsers due to the Content Security Policy rules employed by pretix but issue #5 in this post contains a possible bypass.

The problem has been fixed by improving the escaping routine of pretix for this kind of data and patching the used charting library with its newest development version that contains a fix for the problem.

Severity rating: Since this issue can theoretically, in some cases, allow a random ticket buyer taking over an administrative user's session, we assess the severity of this issue as high.

Affected versions: All released versions of pretix are affected.

This issue has been found by our team while working on a fix for one of the issues listed above.

#5: Hotlinking of uploaded question files [HIGH]

Since the last feature release of pretix, it has been possible to create questions that can be answered by uploading an arbitrary file. Since it was possible to hotlink those files, they could be used within phishing attacks or to bypass the Content Security Policy set by pretix, making it easier to exploit #3 or #4.

To fix this issue, we introduced a required token that needs to be send to download such a file. This token is session-bound, file-specific and only valid for a day. This makes it impossible to (a) link other users to the file or (b) exploiting a CSP bypass for any other user session than the one the user already has access to.

To further make CSP bypasses harder, it is now supported to set the media parameter to an URL on a different domain.

Affected versions: Only the latest stable version of pretix, 1.6.x, is affected by this issue.

This issue has been found by our team while working on a fix for one of the issues listed above.

#6: Referer leak [MEDIUM]

Product descriptions in pretix can contain links to external resources. When clicking on such a link, browsers send the URL of the linking page (the so-called referer) to the external page. This URL might contain sensitive information. In case of the voucher redemption page, that lists products available using a voucher, this contains the voucher code which might be secret or personally identifiable.

pretix tells browsers to only send the origin part of the referer, which already mitigates this problem, but is not respected by old browsers like Microsoft Internet Explorer.

To fix this issue for all browsers, we now redirect all links in user-generated content through our referer hiding endpoint.

Severity rating: Since voucher codes might contain personally identifiable information that could be leaked to a third-party, but only in deprecated browsers, we assess the severity of this issue as medium.

Affected versions: All released versions of pretix are affected.

This issue has been found by Nicole Klünder. Thank you for reporting this issue to us!

Fixed versions

All pretix installations running versions since 1.0.0 are affected. We just released updates for the last three stable versions on PyPI that fix the problem. If you run a pretix installation older than 1.4, please upgrade it to a recent version now.

The new docker images will appear on Docker Hub over the next few hours.

We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.

If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on twitter.

We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at support@pretix.eu. We will always treat your message with the appropriate priority.

Read more blog posts