Multiple Stored/Persistent and Reflected Cross site Scripting attacks #876
Comments
Are these vulnerabilities used by an attacker, or only available for The reason I'm asking this and not panicking about trying to fix the holes
|
Well, the stored XSS part can be mainly used by admin but a normal user can make use of the User profile /username field to steal admin cookies if he wants too. The Reflected XSS can be used by anyone on the internet to steal cookies or redirect the users to attacker sites ! |
Ahh, I see. So if the user inserts a script on registration to steal all I still don't understand this. I need a demonstration on how this can be I have Skype, and am available to be contacted via [deleted].
|
@TheBrenny Can you fix this ? Just make all the user input to go through the PHP function htmlspecialchars() and it will automatically take care of the stored XSS issue. |
I'll try smash it out later. I'll make pretty much everything go through filter sanitize to take out special characters and such. Shouldn't be too hard... |
It'd be a great help if you can do this @TheBrenny. @TheBrenny can you send me a private message on https://gitter.im/anchorcms/anchor-cms at some point? cheers man! |
@a0xnirudh Are you sure the Direct URL injection works? I just tried in my admin panel, and it didn't work... |
@TheBrenny Ofcourse I am. Here is a link for you to try out: http://brennytizer.com.au/index.php/admin/login/%3Cscript%3Ealert%281%29;%3C/script%3E You should use Firefox and not chrome since chrome has an inbuilt XSS Auditor which blocks the URL injection. |
@CraigChilds94 was the issue #106 fixed in the Anchor CMS before ? If so can you point me to the commit that does the fix (the issue is marked as fixed, which means it has to be fixed at some point) ? No commit has been reference in the issue #106 before closing it and I tried searching but it was quite hard to find. I think the same Stored XSS issue that I has reported were reported before in #106 and if it is resolved, then I would like to see how it got resolved and again stored XSS came at the same spot (if I can know that, I can help in fixing the same). cc @rwarasaurus @TheBrenny |
I'm not sure when/how it was fixed @rwarasaurus is probably best for this one, though it was years ago! |
This can be closed: #883 |
@a0xnirudh (comment dated 25 Jun 2015) http://localhost/anchor-cms/admin/posts/%3Cscript%3Ealert%281%29%3C/script%3Ehttp://localhost/anchor-cms/admin/%3Cscript%3Ealert%281%29%3C/script%3EThose are also reflected exploitations; not DOM-based. The URLs are sent to anchor-cms, which sends them back in the 404 page. |
@mounty1 Yes, its my mistake, it was not DOM based but Reflected ! I will modify it ! |
This is the complete list of Stored and Reflected XSS in both Downloaded version from official site, that is, 0.9.2 and on the github branch
0.9-dev
. These are not patched in any of the versions:Locations:
Creating pages: title = list"onmouseover="alert(1)";
User-Profile: Realname = Administrator"onmouseover="alert(1)";
Username field = Administrator"onmouseover="alert(1)";
New User: Realname = newuser"onmouseover="alert(1)";
username = newuser"onmouseover="alert(1)";
Extend: site page types: Name = newpage"onmouseover="alert(1)";
Custom Fields: Label = newpage"onmouseover="alert(1)";
Locations:
Inside the post: <script>alert(1);</script>
(even through this may not be used to exploit, its better to fix it).
Direct URL Injection:
http://localhost/anchor-cms/admin/posts/%3Cscript%3Ealert%281%29%3C/script%3E
http://localhost/anchor-cms/admin/%3Cscript%3Ealert%281%29%3C/script%3E
I have verified the Reflected attacks by trying out the same on http://blog.anchorcms.com and brennytizer.com.au. ( @TheBrenny Just to verify).
Thanks @seshagiriprabhu for helping me with the same.
The text was updated successfully, but these errors were encountered: