XSS in team name field #592
Comments
|
Okay this is a reasonable issue. XSS from a privileged user to a privileged user is not a problem because there is no escalation. |
* Chals endpoint seperation (#572) * Separate the logic of ctftime and email confirmations and admin checking into decorators * Separate the chals endpoint into /chals and /chals/:id. Closes #552, #435. * Challenges are now loaded directly from the server before being displayed to the user. * Challenge modals now use `{{ description }}` instead of `{{ desc }}`. * 403 is now a more common status code and can indicate that a CTF has not begun or that you are not logged in. This is in addition to CSRF failures. * Update tests to new behavior * Fixing glitch if an entry chal or team id isn't defined * Markdown it (#574) * Replace Marked with Markdown-It * Update modal change (#576) * Switch update modals to use nunjucks instead of JS to load in data. * Fix previewing challenges after hitting the challenge update button. * Fix edit-files issue with an unnecessary request. * Fix solves button * Closes #592
|
@ColdHeat I know this issue is old, but this comment is not responding to this issue. I disagree with your assertion regarding XSS without escalation. Although self XSS is of significantly lower severity than remotely-exploitable reflected/stored XSS vulns, it is an easy fix and should be fixed. Otherwise, it is possible for the vuln could be chained with another vuln and used in a practical attack. XSS is an easy fix 99% of the time, so it's almost always worth the effort to go ahead and fix it even though a practical attack may not seem apparent. Edit: This comment would probably be more appropriate on this issue, sorry: #905 (comment) |
* Chals endpoint seperation (CTFd#572) * Separate the logic of ctftime and email confirmations and admin checking into decorators * Separate the chals endpoint into /chals and /chals/:id. Closes CTFd#552, CTFd#435. * Challenges are now loaded directly from the server before being displayed to the user. * Challenge modals now use `{{ description }}` instead of `{{ desc }}`. * 403 is now a more common status code and can indicate that a CTF has not begun or that you are not logged in. This is in addition to CSRF failures. * Update tests to new behavior * Fixing glitch if an entry chal or team id isn't defined * Markdown it (CTFd#574) * Replace Marked with Markdown-It * Update modal change (CTFd#576) * Switch update modals to use nunjucks instead of JS to load in data. * Fix previewing challenges after hitting the challenge update button. * Fix edit-files issue with an unnecessary request. * Fix solves button * Closes CTFd#592
I noticed that there are a few reports of XSS and you don't seem to believe that XSS from a privileged user is a problem. I have found an XSS where a user can target an admin user.
If someone makes a team name with a script, when an admin user tries to delete the team, the script will execute in the popup window. Case in point, iframe in the demo environment.
The text was updated successfully, but these errors were encountered: