Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS on forum #1661

Closed
delyura opened this issue Aug 30, 2022 · 6 comments
Closed

Stored XSS on forum #1661

delyura opened this issue Aug 30, 2022 · 6 comments
Assignees
Labels
Milestone

Comments

@delyura
Copy link

delyura commented Aug 30, 2022

Hello, we found the stored xss on forum.
Tested on latest version 0.9.20.
Poc:

  1. Create new topic with poll
    Screenshot_1
  2. XSS execute
    Screenshot_2
@Alex300 Alex300 self-assigned this Aug 31, 2022
@Alex300 Alex300 added this to the Siena 0.9.21 milestone Aug 31, 2022
@Alex300
Copy link
Member

Alex300 commented Sep 4, 2022

This thing is available only to administrators. This is related to the HTML Purifier settings. Administrators have more permissions than regular users.

It is needed to disable JavaScript in HTMLPurifier somehow for admins too.

@Alex300 Alex300 removed the Critical label Sep 4, 2022
@Alex300 Alex300 mentioned this issue Sep 4, 2022
Alex300 added a commit that referenced this issue Sep 4, 2022
<script> tags are disabled in HTMLPurifier for admins too
@Alex300
Copy link
Member

Alex300 commented Sep 4, 2022

<script> tags are disabled in HTMLPurifier for admins too

@Alex300 Alex300 closed this as completed Sep 4, 2022
@delyura
Copy link
Author

delyura commented Sep 4, 2022

<script> tags are disabled in HTMLPurifier for admins too

Creating blacklists is not best practice, you should use whitelist. For example, you disable the <script> tag, but the payload <img src=x onerror=alert(1)> will work.
For a comprehensive list, check out the DOMPurify allowlist.

@Alex300
Copy link
Member

Alex300 commented Sep 4, 2022

Are you suggesting to make a whitelist with all possible valid options, except for the <script> tag :)?

but the payload <img src=x onerror=alert(1)>

Really? I can't reproduce this case.

Moreover, this situation is only possible if administrator will save text with the XSS script. Regular users has more stricter HTMLPurifier settings.

@Cristian-Bejan
Copy link

Are you suggesting to make a whitelist with all possible valid options, except for the <script> tag :)?

but the payload <img src=x onerror=alert(1)>

Really? I can't reproduce this case.

Moreover, this situation is only possible if administrator will save text with the XSS script. Regular users has more stricter HTMLPurifier settings.

He is saying to only allow (whitelist) e.g. plain text. Thus you will automatically reject everything else.

@Alex300
Copy link
Member

Alex300 commented Sep 8, 2022

I understood, but in this case it is needed all options from HTMLPurifier default policy except JS tag and attributes )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants