Stored Cross-site scripting (XSS) in product page

[prodigysml]

Bug

Stored Cross-site scripting (XSS) using product page, bypassing XSS detection

Environment

• Version: 6.0.2
• OS: Ubuntu
• Web server: Apache
• PHP: 7.0
• Database: MySQL
• URL(s): product/card.php?id=1929&mainmenu=home

Expected and actual behavior

Expected behaviour

XSS detector picks up on the payload and refuses to save it

Actual behaviour

XSS payload is saved with no interference from the detector. When visiting the page later, the payload executes.

Steps to reproduce the behavior

1. Log into Dolibarr with a user who can edit the name of a product
2. Choose a product (this products name will be changed FYI), and click on the modify details button
3. Append the following payload to the product's current name: <iframe/src="data:text/html;&Tab;base64&Tab;,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg==">

Suggested implementation

Change the detector to now pick up on similar payloads (including this one)

[carnil]

This issue was assigned CVE-2017-1000509.

[fgeek]

Has someone from development team verified this and are you planning to fix this vulnerability?

[atm-florian]

Try on 7.0
Access refused by SQL/Script injection protection in main.inc.php (type=0 key=ref value=<iframe/src="data:text/html; base64 ,PGJvZHkgb25sb2FkPWFsZXJ0KDEpPg=="> page=/dolibarr/product/card.php)

[atm-florian]

Issue should be close

[github-actions]

This issue is stale because it has been open 1 year with no activity. If this is a bug, please comment to confirm it is still present on latest stable version. if this is a feature request, please comment to notify the request is still relevant and not yet covered by latest stable version. Without comment, this issue will be closed automatically by stale bot in 15 days.