Hackage-Server Stored Cross-Site Scripting Vulnerability

A critical stored cross-site scripting vulnerability has been identified in Hackage-Server, affecting version 0.5 and prior. This vulnerability arises because HTML and JavaScript files uploaded as source packages or through the documentation upload feature are served without sanitization on the main Hackage Haskell domain. As a result, when a user with active HTTP credentials visits package pages or documentation from a malicious maintainer, their session can be hijacked. This allows the attacker to upload packages or documentation, modify maintainer details or other package metadata, or execute any other actions the user is authorized to perform.

Impact

Exploitation of this vulnerability allows for session hijacking, enabling attackers to perform any actions on behalf of the user, such as uploading packages, editing package metadata, or adding new maintainers. Additionally, the injected scripts could create a fake login form to capture user credentials, which could then be used to perform authorized actions.

Remediation

Users of Hackage-Server should update to version 0.6 or later and configure the user content domain to `hackage-content.haskell.org`. Instructions for updating can be found in the Hackage-Server GitHub repository.