Skip to content

Stored XSS in lib/functions.php:1519 #918

Closed
@scarvell

Description

@scarvell

Lower risk, given that an account requires access to be able to add/edit external links to store the XSS, but line 1519 of lib/html.php isn't sanitizing $tab['title'].

print "<li><a id='" . (isset($tab['id']) ? $tab['id'] : 'maintab-anchor-' . $i) . "' class='lefttab" .(isset($tab['selected']) ? ' selected':'') . "' href='" . $tab['url'] . "'>" . $tab['title'] . "</a></li>\n";

Although the title field in external_links is a varchar(20), we can get around that restriction by creating multiple tabs and using comment blocks to keep the XSS valid:

Create the first tab with title:
<script>alert(1)/*

Create second tab with title:
*/</script>

stored xss external links

Tested against version 1.1.17

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions