New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored Cross-site Scripting (XSS) #125

Closed
ProDigySML opened this Issue Oct 28, 2017 · 3 comments

Comments

Projects
None yet
2 participants
@ProDigySML

ProDigySML commented Oct 28, 2017

Issue Summary

Stored Cross-site Scripting (XSS) in page editor causing any author to get arbitrary javascript execution on the any viewer's browser.

Steps to Reproduce

Tell us how to replicate the problem.

  1. Log in to a user with writer permissions
  2. Choose to edit a blog post
  3. Choose to embed a resource. A side panel will appear asking you for code.
  4. Enter the following payload in the side panel: <IFRAME SRC="javascript:alert(1);"></IFRAME>, and save the blog.
  5. View the blog and observe an alert box pop up.

Additional info

  • Leafpub version: 1.2.0-beta6
  • PHP version: 7.0
  • Affected browsers: All that can run javascript
  • Operating system: Ubuntu
@karsasmus

This comment has been minimized.

Show comment
Hide comment
@karsasmus

karsasmus Oct 28, 2017

Contributor

I don't understand your point. You'll be able to embed an iframe with javascript on your own site? Or a person you've allowed to write on your site is able to do that?

Contributor

karsasmus commented Oct 28, 2017

I don't understand your point. You'll be able to embed an iframe with javascript on your own site? Or a person you've allowed to write on your site is able to do that?

@ProDigySML

This comment has been minimized.

Show comment
Hide comment
@ProDigySML

ProDigySML Oct 28, 2017

Yes a person you have been able to write on your site is able to do that. The idea is, this can be used for denying service to other users and hijack other user's sessions by stealing their session tokens (as HTTPOnly is not set on them).

ProDigySML commented Oct 28, 2017

Yes a person you have been able to write on your site is able to do that. The idea is, this can be used for denying service to other users and hijack other user's sessions by stealing their session tokens (as HTTPOnly is not set on them).

@karsasmus

This comment has been minimized.

Show comment
Hide comment
@karsasmus

karsasmus Oct 28, 2017

Contributor

Then you should choose your writers wisely.

Contributor

karsasmus commented Oct 28, 2017

Then you should choose your writers wisely.

@karsasmus karsasmus closed this Oct 28, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment