XSS vulnerability in creating Posts

[C0deBr8kr]

Exploit Title: Stored XSS vulnerability possible in creating posts in canvas (v3.3.0)
Date: 22-April-2017
Exploit Author: @C0deBr8kr
Software Link: https://github.com/cnvs/canvas/archive/v3.3.0.zip
Version: 3.3.0

Description:
XSS allows an attacker to run arbitrary scripts on the users browser.

Exploit POC:
Browser used: Chrome version 57.0.2987.133

1. Login as a user/ admin user.
2. Go to Posts > Add New.
3. The title and the content fields are vulnerable to stored XSS.
4. Enter <script>alert('XSS in title')</script> in the Title,'some subtitle' in subtitle and <script>alert('XSS in content')</script> in the content field.
5. Publish the post.
6. Now, navigate to the "All posts" page. The script in the 'title' field will have executed and you will see an alert box with 'XSS in title'.
7. Now go to the preview of this post by clicking on the magnifying glass next to the newly created post.
8. The script that we had entered in the content will now have executed and you will see an alert box with 'XSS in content'.

References:
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

Screenshots:

1. Creating a post.

2. XSS on "All posts" page.

3. Post created.

4. XSS on the post page.

5. Post page.

Impact: An attacker can execute arbitrary script on an unsuspecting user's browser.
For instance - Since, there is no seperation between the posts created by a privileged and an unprivileged user, an unprivileged user can create a post with script to steal the administrator's cookies or perform an action on his behalf.

Mitigation: Input should be properly validated before storing in the database and output from the database should also be properly encoded before displaying it to the user.

[C0deBr8kr]

Thank you for taking it up so quick. Similar vulnerabilities also exist while creating new tags and users.

[austintoddj]

@C0deBr8kr Thank you for writing up such a neatly detailed Issue. Will look into this ASAP.

[reliq]

Commit https://github.com/cnvs/easel/commit/db160d45e6746436829a202265323ef954f2032c addresses this issue.

[austintoddj]

@reliq Re-opened with branch xss-protection. Biggest thing to be aware of before finishing the feature is that the integration tests pass.

[fredodev]

Not sure how far this can be taken but wanted to note that XSS via markdown is also possible.

e.g. ![a" onerror="alert('Potential XSS');"](x)

Create/modify post:

Result when visiting post:

[austintoddj]

First off, thanks for taking the time to create the issue. Closing because everything v3.x related will remain as-is and won’t receive anymore updates. The next release is slated for this week, so stay tuned!