New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SOLVED: Stored Cross site Scripting in "Site Name EN" parameter #1

Closed
carlcj opened this Issue Dec 16, 2018 · 4 comments

Comments

Projects
None yet
2 participants
@carlcj
Copy link

carlcj commented Dec 16, 2018

Vulnerability Name: Stored Cross-site Scripting in "Site Name EN*" Parameter

Vulnerability Description: An authenticated user can inject malicious javascript code into the "Site Name EN" field thus many of the modules are affected by this because the site name is visible in almost of all modules.

Vulnerable URL: http://localhost/peel-shopping_9_1_0/administrer/sites.php

Please saw the PoC below
stored XSS on site name parameter

Mitigation: the Entire site is Vulnerable to Cross-site scripting attacks input validation should be properly implemented

References for Mitigation Vulnerability: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

@carlcj carlcj changed the title Stored Cross site Scripting in "Sitename" parameter Stored Cross site Scripting in "Site Name EN" parameter Dec 16, 2018

@advisto

This comment has been minimized.

Copy link
Owner

advisto commented Dec 16, 2018

Dear clarcj,

Thanks for your report which is very clear and professional.
PEEL is a multisite ecommerce. It is designed to allow one administrator to handle multiple websites. Fore example a general presentation website, and various eshops related.
It is not designed to give administration rights to people with whom your are not confident. An administrator can configure environment variables, and setup multiples things that can execute javascript.

In this regard, this XSS is not a problem in itself. However, it is trus that it is not clean to allow HTML inside "Site Name EN" and we will change real_escape_string in the code into nohtml_real_escape_string in the database save of this information.

If you have any question on this matter, please feel free to discuss it further.

Thanks,

Gilles Boussin

@advisto

This comment has been minimized.

Copy link
Owner

advisto commented Dec 16, 2018

I have commited the correction related to your post.
Please confirm that you are ok to close this subject.

Gilles

@carlcj

This comment has been minimized.

Copy link

carlcj commented Dec 16, 2018

Thank you for the quick reply. Yeah, it is True. the admin has only had access to the administration module. however, input validation should be implemented in order to make secure. if possible use the htmlspecialchars() function when accepting input from the users this well encrypts the HTML tags such as <> to &gt and &lt you can see the reference link specified in the mitigation section for more details.

This is the example use of htmlspecialchars() in PHP

print htmlspecialchars('<br>An example');

Result:

&lt;br&gt;An example 

You can close this subject.
Regards.

@advisto

This comment has been minimized.

Copy link
Owner

advisto commented Dec 16, 2018

Thanks, I do close it.

FYI, there are various places in Smarty templates where we call |escape:'html' like in admin_liste_configuration:

{$res.string|html_entity_decode_if_needed|escape:'html'}{$res.comment}

@advisto advisto closed this Dec 16, 2018

@advisto advisto changed the title Stored Cross site Scripting in "Site Name EN" parameter SOLVED: Stored Cross site Scripting in "Site Name EN" parameter Dec 16, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment