Stored XSS in lib/functions.php:1519 #918

scarvell · 2017-08-19T10:53:44Z

Lower risk, given that an account requires access to be able to add/edit external links to store the XSS, but line 1519 of lib/html.php isn't sanitizing $tab['title'].

print "<li><a id='" . (isset($tab['id']) ? $tab['id'] : 'maintab-anchor-' . $i) . "' class='lefttab" .(isset($tab['selected']) ? ' selected':'') . "' href='" . $tab['url'] . "'>" . $tab['title'] . "</a></li>\n";

Although the title field in external_links is a varchar(20), we can get around that restriction by creating multiple tabs and using comment blocks to keep the XSS valid:

Create the first tab with title:
<script>alert(1)/*

Create second tab with title:
*/</script>

Tested against version 1.1.17

The text was updated successfully, but these errors were encountered:

cigamit · 2017-08-19T14:14:00Z

Agree, but we will fix it anyway.

Minor XSS and create generalized escape function

cigamit · 2017-08-19T14:32:26Z

Resolved.

fgeek · 2017-08-22T06:04:57Z

Please use CVE-2017-12978 for this issue.

cigamit added a commit that referenced this issue Aug 19, 2017

Resolving Issue #918

9c610a7

Minor XSS and create generalized escape function

cigamit closed this as completed Aug 19, 2017

github-actions bot locked as resolved and limited conversation to collaborators Jun 30, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Stored XSS in lib/functions.php:1519 #918

Stored XSS in lib/functions.php:1519 #918

scarvell commented Aug 19, 2017 •

edited

Loading

cigamit commented Aug 19, 2017

cigamit commented Aug 19, 2017

fgeek commented Aug 22, 2017

Stored XSS in lib/functions.php:1519 #918

Stored XSS in lib/functions.php:1519 #918

Comments

scarvell commented Aug 19, 2017 • edited Loading

cigamit commented Aug 19, 2017

cigamit commented Aug 19, 2017

fgeek commented Aug 22, 2017

scarvell commented Aug 19, 2017 •

edited

Loading