-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Title
=====
SCHUTZWERK-SA-2022-001: Cross-Site-Scripting in Papaya Medical Viewer
Status
======
PUBLISHED
Version
=======
1.0
CVE reference
=============
CVE-2023-33255
Link
====
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001/
Text-only version:
https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2022-001.txt
Further SCHUTZWERK advisories:
https://www.schutzwerk.com/blog/tags/advisories/
Affected products/vendor
========================
Papaya, Research Imaging Institute - University of Texas Health Science Center
Summary
=======
User supplied input in the form of DICOM or NIFTI images can be loaded into the
Papaya web application without any kind of sanitization. This allows to inject
arbitrary JavaScript code into the image's metadata which will in consequence be
executed as soon as the metadata is displayed in the Papaya web application.
Risk
====
The vulnerability allows an attacker to inject arbitrary JavaScript code into
the Papaya web application. A risk calculation highly depends on how the Papaya
software is used as a library in the context of a bigger medical web
application. During the discovery of this vulnerability, the web application
which used Papaya allowed to upload and store corresponding images on the web
server and display them to multiple users. It was therefore possible to store
JavaScript code on the server and attack users to impersonate or steal their
session, leading to a disclosure of sensitive medical data.
Description
===========
A medical web application assessed for security vulnerabilities by SCHUTZWERK
was found to contain a stored cross-site-scripting vulnerability. The
application uses the Papaya JavaScript software[0] published by the Research
Imaging Institute belonging to the University of Texas Health Science Center[1].
The software is described as "[..] a pure JavaScript medical research image
viewer, supporting DICOM and NIFTI formats, compatible across a range of web
browsers [..]". It can be used stand-alone or integrated into larger medical
applications, has 192 forks and 488 stars on GitHub and was used in at least 50
published academic research papers[2].
One of the main features is to open medical images of multiple formats, which
can be achieved via the context menu "File - Add image...". Papaya then displays
the image and adds a new icon in the upper right corner of the viewer. This icon
allows to open another context menu to edit the previous opened image as a layer
in multiple ways. The option of interest for the cross-site-scripting
vulnerability is the "Show Header" entry, which allows getting further
information about the medical image.
An example DICOM[3] zip archive was downloaded[4], extracted and opened in
Papaya. The "Show Header" function shows multiple entries including private
patient data fields like patient ID, name, date of birth and gender.
The DICOM ToolKit (DCMTK)[5] offers multiple tools to analyze, create and edit
DICOM images. The metadata field "Manufacturer" of the previously downloaded
DICOM image was edited with help of the DCMTK tool dcmodify:
DICTPATH=/tmp/share/dcmtk/dicom.dic dcmodify -m
"Manufacturer=" 2_skull_ct/DICOM/I0
The DCMTK tool dcmdump can be used to verify the manipulated metadata entry:
dcmdump 2_skull_ct/DICOM/I0
[..]
# Dicom-Data-Set
[..] (0008,0070) LO [] # 26, 1 Unknown
Tag & Data [..]
Viewing the header information of the manipulated DICOM image in Papaya executes
the injected JavaScript code in the web browser.
SCHUTZWERK decided to publish the still existing vulnerability (commit 4a42701),
since the vendor did not implement any remediation several months after new
contributors have been introduced to the project.
Solution/Mitigation
===================
Several mitigation recommendations have been sent to the vendor. These include
common mitigation strategies from OWASP[6], like escaping user controlled input
and the usage of popular JavaScript libraries like DomPurify[7].
As a quick workaround, the context menu, which allows showing header information
can be disabled by setting the variable kioskMode to true.
Disclosure timeline
===================
2020-08-20: Vulnerability discovered 2020-08-20: Vulnerability reported to
vendor
2020-09-30: Contacted vendor again
2020-09-30: Vendor responds and asks for mitigation ideas
2020-10-01: Response to vendor with detailed information and mitigation ideas
2020-11-09: Contacted vendor again for any status updates
2022-08-30: Retest of the customer application including the Papaya web
application
2022-09-21: Notified vendor of intention to publish advisory
2022-10-18: Vendor notified SCHUTZWERK of new contributors who will maintain the
project
2023-04-19: Informed vendor about publication deadline on May 15, 2023
2023-05-08: Vendor replied with intention to fix vulnerability until May 15,2023
2023-05-15: Vulnerability fixed by vendor
2023-05-26: Advisory published by SCHUTZWERK
Contact/Credits
===============
The vulnerability was discovered during an assessment by Lennert Preuth of
SCHUTZWERK GmbH.
References
==========
[0] https://github.com/rii-mango/Papaya
[1] https://rii.uthscsa.edu/
[2] http://mangoviewer.com/pubs.html
[3] https://en.wikipedia.org/wiki/DICOM
[4] https://medimodel.com/sample-dicom-files/human_skull_2_dicom_file/
[5] https://dicom.offis.de/dcmtk.php.de
[6] https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_
Prevention_Cheat_Sheet.html
[7] https://github.com/cure53/DOMPurify
Disclaimer
==========
The information in this security advisory is provided "as is" and without
warranty of any kind. Details of this security advisory may be updated in order
to provide as accurate information as possible. The most recent version of this
security advisory can be found at SCHUTZWERK GmbH's website.
-----BEGIN PGP SIGNATURE-----
iQJOBAEBCgA4FiEEgLsg7Oj/wY3LSF87GrXfkTIXLrsFAmRwkEgaHGFkdmlzb3Jp
ZXNAc2NodXR6d2Vyay5jb20ACgkQGrXfkTIXLrvCEA//YsP7ZUvk9VLzp49DtsMP
HQF0ojoBmNZOi5fymVDRGScmMT5VLOsdp9EUEywPYxmxo1rPc4vv6gM3hQsQ7TRO
oAb9ZeZjvYy2Nyz6cy3wX4H2naFOHEr085Uwpg9pX5DAHkQVsseTi/n04u5PT5xP
Fnuozie/KOG4pmkkKFHmG6aWgUSXWZuq8japOghl6g35BmG7ntXG2OYsb7f5ITYw
ksRbJt+8wetrBsa/pR6ZfEkoEpyuFZg85EDpDRoBPVlGZtuSF6dh+WfO+9VQBjLE
dZwPRaXefHp/v89rEfWvkX3JGmGWh6P8KQ+puF3GHLcBa8iDIbW/HPfQHGuGhfIa
upZ1E+HtgpxInxelM/BcFKXSjD4AMnAULa2C6nWsdmw8GIKHHus+WQuK1z40R7N4
Vji59buH9SBWAWb7MuyRrdxoZSmAuxcR7lXVzHMxSOZm0W7J0d9luLL8XUn4kj8+
tRE24TgbdGyAYr/V6BO9RiYCtyWPji5VBtwFZLFlvKRo81zyS9nve651nWS7Fv/l
OGns4fGbEZ+sm/YuFdfyzg8TMJ0pqV0AswCnx9mSqWn3RRBHg55pE4i6IyUdofu/
eiaTl33oyGolW7rQ5ATtmsOgKp5jKb7rt3WVSBLn1D9+JJ8MfbDrvyUoTkIZaqEp
4bKAQKWvxQG8GpbKuQT4on0=
=IEuk
-----END PGP SIGNATURE-----