Phenixdigital Phoenix Storybook Cross-Session PubSub Topic Injection Vulnerability

A vulnerability in the Phenixdigital Phoenix Storybook library, specifically in versions 0.4.0 prior to 1.1.0, allows for cross-session PubSub topic injection through a URL query parameter. The issue arises in the 'Elixir.PhoenixStorybook.Story.ComponentIframeLive' module, where the 'handle_params/3' function reads a PubSub topic directly from the parameters without verifying if it belongs to the requesting session. This flaw enables an attacker to hijack the communication between a playground LiveView and its iframe by injecting their own iframe process ID into a victim's session-specific topic, disrupting the intended message flow.

Impact

Exploitation of this vulnerability leads to unauthorized cross-session information disclosure and message injection. An attacker can intercept and redirect private control messages from a victim's playground to an iframe process they control, causing a disruption in the application's intended functionality.

Reproduction

To reproduce this vulnerability, load the vulnerable iframe URL with a topic parameter that corresponds to a victim's private topic. The iframe will broadcast its process ID onto the victim's topic, allowing the attacker to intercept private messages intended for the victim.

Remediation

Users can upgrade to Phoenix Storybook version 1.1.0 or later, where this vulnerability has been fixed.