New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unauthenticated Stored Cross-Site Scripting (XSS) - Admin Account Takeover #7830
Comments
|
Good Catch ! |
|
Even if it's not on Bolt side, we need to make sure that he doesn't happen for the users. We can't rely on people not using profile in production mode. |
|
Apart from the "boilerplate" content of this report, there is an issue somewhere. Not sure if we can fix it, though. Like @UtechtDustin says, it's certainly a bug in the profiler. It looks to be this exact issue, which was fixed in SF 3.3.6: https://vuldb.com/?id.119510 However, as Bolt 3 runs on SF 2.8 components, it doesn't seem likely the fix will get "downstreamed".
@Mikescops Well, no, but there's a few things to consider:
So, while I agree that this should ideally be fixed, i'm not certain that we can, or whether it's feasible. I verified that this issue is no longer present in V4 of bolt. Testing it did bring another issue to light, so i'll be sure to fix that. Thank you, @007-prankster . |
|
@bobdenotter there are a few things to consider:
Steps I've used to deploy bolt:
This issue will still affect all the users who deployed with the same steps leading to Administrator account takeover. This severity of this issue is much higher due to the following reasons: 1. Unauthenticated attack: 2. Stored XSS: But in case of stored XSS payload is being stored in the back-end database and is executed whenever user (Admin) visits the affected page. Mitigation for this vulnerability: UPDATED While it was observed Bolt is making use of SF library as a security defense but these 3rd party libraries cannot be reliable or is Hack Proof. So as per security best practices developers are always recommended to ensure user input is properly sanitized and output is encoded which will further mitigate this issue. |
|
This issue has been automatically marked as stale because it has not had recent activity. Maybe this issue has been fixed in a recent release, or perhaps it is not affecting a lot of people? |

1. Bug Summary:
Stored Cross-Site Scripting:
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
Scenario:
When an end user is searching (http://hostname/search?search=term) for any results logs are being generated in admin panel (http://hostname/_profiler/).When an end-user inputs malicious payload such as
URL-Encoded: %3Cimg%20src%3Dx%20onerror%3Djavascript%3Aconfirm%28113%29%3E
Decoded: <img src=x onerror=javascript:confirm(113)>
Javascript is being executed on Database page of the admin panel (http://hostname/_profiler/token?panel=db) and unauthenticated attacker can use such malicious payloads to perform various exploits and phishing,Implement keylogger, CSRF Token Stealth,Session Aware Keylogger,etc.
2. Steps to Reproduce:
Navigate to http://host/
Click on Search
Input payload from above
To validate the finding login to admin console and navigate to http://hostname/_profiler and select the log with payload navigate to database (http://hostname/_profiler/token?panel=db)
Selecting Logs:
Navigating to Database:
Payload Executed:
3. Mitigation:
References:
https://portswigger.net/web-security/cross-site-scripting/
https://portswigger.net/web-security/cross-site-scripting/stored
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
https://www.checkmarx.com/2017/10/09/3-ways-prevent-xss/
The text was updated successfully, but these errors were encountered: