Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security - Stored Cross Site Script #1132

Closed
thatsa9 opened this issue Feb 5, 2020 · 2 comments
Closed

Security - Stored Cross Site Script #1132

thatsa9 opened this issue Feb 5, 2020 · 2 comments

Comments

@thatsa9
Copy link

thatsa9 commented Feb 5, 2020

Describe

This vulnerability allows Editor or Author roles could insert malicious JavaScript on the WYSIWYG editor.

Steps to reproduce the vulnerability

Affected in Bludit v3.10.0

  1. Tried to login with username “admon2”, who is an Editor. Then, pressed the button.
    image

image

We inserted a simple HTML+JavaScript for PoC.
image

As a result, we could insert malicious JavaScript on the WYSIWYG editor.
image

But the CMS had inserted HttpOnly when web applications issued a token to web browser, resulting in the attacker couldn’t steal the cookie.
image

But the attacker still crafted malicious JavaScript to do anything. I.e. enforce every legitimate user to logout on the web application
image

As a result, we could enforce legitimated users to logout.
image

Bludit version

Affected in Bludit v3.10.0

PHP version

PHP Version 7.1.33

@dignajar
Copy link
Member

dignajar commented Feb 5, 2020

Hi,
yes it's allowed to insert javascript code in the pages, is not a bug.
Regards

@dignajar dignajar closed this as completed Feb 5, 2020
@thatsa9
Copy link
Author

thatsa9 commented Feb 6, 2020

You should be sanitizing user input. In the various situations assumed every user is a malicious user or has been compromised. In this case, the application should be allowed some attributes. i.e. TinyMCE, CKEditor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

2 participants