Persistent XSS on 'Website's name' field (site_title) #150
Comments
|
Just to follow up. I can confirm that this commit fixes the problem: 7967e5b however, the problem still exists in the latest release 0.6.1 so I guess it's now best to push the 0.6.2 update? Thanks a lot! |
|
Hello! |
|
Hi Johan! Thank you so much! |
|
Hello! Don't hesitate to open a new issue if you find a new bug :) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi guys, wonderful work on the CMS! I found a security issue on the website's name in the admin settings:
Stored cross-site scripting (XSS) vulnerability in the "Website's name" field found in the "Settings" page under the "General" menu in WityCMS 0.6.1 allows remote attackers to inject arbitrary web script or HTML via a crafted website name by doing an authenticated POST HTTP request to WityCMS/admin/settings/general.
This vulnerability is specifically the "Website's name" field. I noticed that it does strip off the tags <script> and </script> however, it isn't recursive. By entering this payload:
<scri<script>pt>alert(1)</scri</script>pt>Javascript gets executed. Here's an output of the mentioned payload when entered and saved.
The payload gets saved in the file: /system/config/config.php as a raw Javascript code:
When an unauthenticated user visits the page, the code gets executed:
If the data is not sanitized upon input, these components are going to return arbitrary web script or HTML that can be rendered by the browser because it retrieves the script, hence, the possible "Affected Components" are as follow:
-Potentially all scripts using: /apps/user/front/lang/en.xml
-Potentially all scripts using: /apps/user/front/lang/fr.xml
-/apps/settings/admin/templates/general.html
-/apps/user/front/main.php
-/cache/templates/apps-settings-admin-templates-general.php
There may be more but I believe this can be fixed by recursively stripping out the tags
<script>and</script>The text was updated successfully, but these errors were encountered: