Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

HTML/XSS injection (Trac #1524) #1524

Closed
elgg-gitbot opened this issue Feb 16, 2013 · 4 comments
Closed

HTML/XSS injection (Trac #1524) #1524

elgg-gitbot opened this issue Feb 16, 2013 · 4 comments
Labels

Comments

@elgg-gitbot
Copy link

@elgg-gitbot elgg-gitbot commented Feb 16, 2013

Original ticket http://trac.elgg.org/ticket/1524 on 40131250-04-17 by trac user psy, assigned to unknown.

Elgg version: 1.6

FCKEditor plugin dont parse correctly some params. it is possible to inject javascript code on client and server side.

injection vector is on preformatted tag.

this bug can break the integrity of the social network.

probed on firefox & chrome.

-----------------------------------------------------
[+] Elgg Release - 1.6.1, Version - 2009072201 + CKEditor v1.0
[+] Bug: HTML/XSS injection
[+] By: .:ald:. (psy)
[+] Download: http://elgg.org/downloads.php
[+] Plugin: http://community.elgg.org/pg/plugins/springs/read/385093/ckeditor-replaces-tinymce

[+] htmlawed (provide tag filtering for user input) Versión: 1.5 enabled !

POC:

-login
-write new topic on CKEditor

// client side //

-click on "source html"
-enter vector injection:

<iframe src="data:text/html;charset=utf-8,%3cscript%3ealert(XSS);history.back();%3c/script%3e"></iframe>

-click on "source html" (!!!!)

// server side: (persistent XSS) //

-click on "source html"
-enter preformatted text:

vector

-click on "source html"
-enter vector injection:

<iframe src="data:text/html;charset=utf-8,%3cscript%3ealert(1);history.back();%3c/script%3e"></iframe> (!!!!) XSS (!!!!) [...]

// risks

  • on server side injections, users of social network who try to edit the topic, will execute the malicious code.
  • its useful to steal cookie sessions, subvert admin control panel or create browser botnets.
    -----------------------------------------------------\
@elgg-gitbot

This comment has been minimized.

Copy link
Author

@elgg-gitbot elgg-gitbot commented Feb 16, 2013

brettp wrote on 40131265-08-06

This is a 3rd party plugin and any security issues with it should be reported to its author. Also, from trac's front page:

SECURITY ISSUES SHOULD BE REPORTED TO securityelgg.com! Please do not post any security issues in trac!

@elgg-gitbot

This comment has been minimized.

Copy link
Author

@elgg-gitbot elgg-gitbot commented Feb 16, 2013

trac user psy wrote on 40131290-03-21

Replying to brettp:

This is a 3rd party plugin and any security issues with it should be reported to its author. Also, from trac's front page:

SECURITY ISSUES SHOULD BE REPORTED TO securityelgg.com! Please do not post any security issues in trac!

ok, i thinked about security issues reporting were only for core elgg.

anyway, this class of injections, from extensions, is a problem of core parsers too.

i will report to its author.

txks.

@elgg-gitbot

This comment has been minimized.

Copy link
Author

@elgg-gitbot elgg-gitbot commented Feb 16, 2013

brettp wrote on 40131295-07-18

If the htmlawed plugin is enabled these injections shouldn't be possible. If you do find there's a problem with htmlawed's filtering, please email securityelgg.com with the details. Thanks.

@elgg-gitbot

This comment has been minimized.

Copy link
Author

@elgg-gitbot elgg-gitbot commented Feb 16, 2013

trac user psy wrote on 40131312-05-27

Replying to brettp:

If the htmlawed plugin is enabled these injections shouldn't be possible. If you do find there's a problem with htmlawed's filtering, please email securityelgg.com with the details. Thanks.

htmlawed (v1.5) plugin is enabled. i reported poc to security@

thanks to u.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant
You can’t perform that action at this time.