Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

XSS Vulnerability on Modify Group Page #408

Closed
aydinnyunus opened this issue Apr 19, 2021 · 3 comments
Closed

XSS Vulnerability on Modify Group Page #408

aydinnyunus opened this issue Apr 19, 2021 · 3 comments
Assignees
Milestone

Comments

@aydinnyunus
Copy link

Summary

An authenticated malicious user can take advantage of a XSS vulnerability in the "Modify Group" feature in Admin

Steps to Reproduce:

  • Login into the Admin panel
  • Go to '/backend/groups/index.php'
  • Add group with name '">
  • Save group.

Impact

Cookie Stealing - A malicious user can steal cookies and use them to gain access to the application.
Arbitrary requests - An attacker can use XSS to send requests that appear to be from the victim to the web server.
Malware download - XSS can prompt the user to download malware. Since the prompt looks like a legitimate request from the
site, the user may be more likely to trust the request and actually install the malware.
Defacement - attacker can deface the website using javascript code.

@aydinnyunus
Copy link
Author

aydinnyunus commented Apr 19, 2021

Summary

An authenticated malicious user can take advantage of a XSS vulnerability in the "Modify Group" feature in Admin

Steps to Reproduce:

  • Login into the Admin panel
  • Go to '/backend/groups/index.php'
  • Add group with name '">
  • Save group.

Impact

Cookie Stealing - A malicious user can steal cookies and use them to gain access to the application.
Arbitrary requests - An attacker can use XSS to send requests that appear to be from the victim to the web server.
Malware download - XSS can prompt the user to download malware. Since the prompt looks like a legitimate request from the
site, the user may be more likely to trust the request and actually install the malware.
Defacement - attacker can deface the website using javascript code.

Add group with name : https://twitter.com/XssPayloads/status/1270944976705335296

Vulnerability affects all of the admin endpoints.

@webbird
Copy link
Contributor

webbird commented Sep 23, 2021

The group name is saved as \"\">

webbird pushed a commit that referenced this issue Sep 24, 2021
@webbird
Copy link
Contributor

webbird commented Sep 24, 2021

The group name is now escaped with htmlspecialchars(). Not a perfect solution, but good enough as backend access is required.

@webbird webbird closed this as completed Sep 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants