Security release 4.5.1 of pretix
In the past days, thanks to an external report, we identified two security-relevant issues inside pretix. We therefore just released versions 4.5.1, 4.4.1, and 4.3.1 of pretix that fix these problems. We strongly recommend that you update your installation as soon as possible. If you are a customer of our pretix Hosted service, the vulnerabilities are already fixed for you and you do not need to take action.
The security risk of these two issues is rather small and neither of them can be used for unauthorized data access. There is no risk that your customer data was impacted in any way.
#1: Unvalidated redirect [MEDIUM]
When a user navigates from a pretix-generated page to an external link, e.g. to the website of the event organizer, their browser
might send the full URL of the pretix-generated page to the external website ("referrer"). Since pretix-generated URLs can contain
sensitive information, this is a possible information leak. While pretix has prevented this for modern browsers from the start with
Referer-Policy header, not all browsers support this.
Back in 2016, pretix introduced something that is commonly known as a "dereferrer". The idea is that if you click the link, we will
first take you to a different page of the format
/redirect/?url=https://external.example.org that will then redirect you to the
external target, thus hiding the original page you are coming from.
Since unvalidated redirects are
generally considered a security risk since they can be abused in phishing campaigns, the format of the URL does not look exactly as
shown above, but also includes a cryptographic signature such that you cannot modify the
url query parameter.
However, as the reporter of this issue correctly pointed out to us, that is not of much help if anyone with a pretix backend account can create valid signatures. Therefore, on all instances of pretix shared by a significant number of backend users, this protection becomes pointless.
While we cannot remove the "dereferrer" without risking a more severe problem, we can make it harder to abuse. With this release, the dereferrer page will only work as-is when the request is originating from inside pretix (same-site). If the dereferrer is linked to from an external source (such as a phishing email), it will show an intermediate page with a warning first.
Severity rating: Since this bug cannot lead to a violation of permissions or a data leakage but only to a wrong perception of trust, we assess the severity of this issue as medium.
Affected versions: All released versions of pretix are affected.
This issue has been reported to us by TQ software Solution Corporate with Alpha Inferno, (SMC) Pvt Ltd.
#2: XSS in quota and check-in list names [LOW]
If HTML is contained in the name of a quota or check-in list, it was not properly escaped when used in tooltips such as in the list of dates of an event series or when hovering over the check-in state of a ticket.
As far as we can tell, it was impossible to exploit this for two reasons:
We employ a strict Content-Security-Policy which generally makes almost all XSS vulnerabilities harmless by themselves since they cannot perform calls to any external sources, and they often cannot even execute embedded scripts.
Severity rating: Since this bug is not really exploitable for two independent reasons, we asses the severity of this issue as (very) low.
Affected versions: pretix versions 1.8.0 until 4.5.0 are affected.
The original issue has been reported to us by TQ software Solution Corporate with Alpha Inferno, (SMC) Pvt Ltd; similar issues in other places have been discovered internally.
All pretix installations are affected. We just released updates for the last three stable versions on PyPI that fix the problem. If you run a pretix installation older than 4.3, please upgrade to a recent version now.
The new docker images will appear on Docker Hub over the next few hours.
We strongly recommend that you always run the latest version of pretix, as every release contains useful and important bug fixes, even if they are not security related.
If you want to keep updated about bugfix and security releases, you should follow this blog closely. A RSS feed is available and we also announce every blogpost on twitter.
We take the security of our product very seriously and always go the extra mile to make sure you stay safe. As we are humans, security issues unfortunately still might occur from time to time. We do everything we can to find and fix them as timely as we can. If you notice any security problems or have any questions on this topic, please contact us in private at firstname.lastname@example.org. We will always treat your message with the appropriate priority.