Cross Site Scripting Vulnerability in HTMLy v-2.7.4 #382
Comments
|
Thanks for reporting it but you need to login first before you can access those page. If you are logout you will redirected to login page. The questions is can this can be done if you are logout? |
|
Hello, |
|
REFER THIS: GetSimpleCMS/GetSimpleCMS#1284 |
|
REFER THIS: GetSimpleCMS/GetSimpleCMS#1293 |
|
I'm not worried about this because the attacker needs to log in first. It is natural if the attacker can entering the admin area, it will be a big problem even on WordPress. So make sure to use a strong password and use reCaptcha for additional security. |
|
Well this is not a bug but a feature https://github.com/showdownjs/showdown/wiki/Markdown%27s-XSS-Vulnerability-(and-how-to-mitigate-it). The blog owner have total freedom with what markup or content they are created. The CMS mentioned above allowing comment, or collecting data etc. from anonymous user (entrusted users) and htmly is different because there is no such feature on htmly, all users need to login before can creating a post and there is not built-in comment. So at the moment I will leave it as is. |
|
K thanks. |
|
Hello team |
|
Just as a side note: I think you don't have to switch the frontend-editor neccessarily, because you can also switch the mardkown-parser. Parsedown for example has a safe-mode that prevents from most xss-attacks. BUT you won't be able to use any other syntax than markdown then (no HTML or JavaScript at all, which is a bit against the original markdown specification, that allows HTML) ... On the other side, if a hacker gets your password, he will probably find other ways to inject malicious code (e.g. links to malicious websites or malicious image- and file- uploads?), so if someone gets your password, it is always hard or impossible to keep your website save, isn't it? I think that even big enterprise systems are not safe, if you get access to the admin area. But I am a bloody amateur in this field, so just a side note ... |
|
Hello,
I have just recommended you that there are still the editors present who
does santize the input, and many big enterprises are follwing that. So,
just a small reccomendation from you to fix this issue.. I have refered
some links in previous post.. You can check that.
Thanks and regards
Ritesh Kumar
…On Wednesday, August 15, 2018, trendschau ***@***.***> wrote:
Just as a side note: I think you don't have to switch the frontend-editor
neccessarily, because you can also switch the mardkown-parser. Parsedown
for example has a safe-mode that prevents from most xss-attacks. BUT you
won't be able to use any other syntax than markdown then (no HTML or
JavaScript at all, which is a bit against the original markdown
specification, that allows HTML) ...
On the other side, if a hacker gets your password, he will probably find
other ways to inject malicious code (e.g. links to malicious websites or
malicious image- and file- uploads?), so if someone gets your password, it
is always hard or impossible to keep your website save, isn't it? I think
that even big enterprise systems are not safe, if you get access to the
admin area. But I am a bloody amateur in this field, so just a side note ...
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#382 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AoQxWY1pGTMtZHMbdUR0B-NJVoEPxMv7ks5uQ8nBgaJpZM4V5Mv4>
.
|
|
Hello, I will close this one and mark it as won't fix because HTMLy will retain current text editor (PHP Markdown Extra). BTW thanks everyone, |
|
This has been fixed: ec1cf1d |
Vulnerability name-Cross SIte Scripting.
Severity: High
Submitted By: Ritesh Kumar
Email: riteshreapers@gmail.com
Vendor of Product: HTMLy
Version: 2.7.4
Attack type: remote
Hello,
I would like to report a vulnerability that I discovered in HTMLy-v2.7.4, which can be exploited to perform Cross-Site Scripting (XSS) attacks. The vulnerability exists due to insufficient sanitization in the "Content Field" parameter. The exploitation example below uses the "alert()" JavaScript function to display "1" as alert text.
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user's browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source; the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
STEPS TO REPRODUCE:
1.Login to HTMLy.
2.Click on Add Content and URL http://127.0.0.70///admin/content will be opened and click on Regular post, then u will be redirected to http://127.0.0.70///add/content?type=post.
3.enter the text into title(TESTING) and tag(TESTING1) parameter and In the content field enter the malicious java script <script>alert(1)</script> and click on publish.
4.after clicking in publish view that content(TESTING).
5.xss will be get executed and 1 will be reflected on the browser.
PROOF OF CONCEPT:
1: click on Add content and http://127.0.0.70///admin/content page will be opened and on that page click on Regular post button.
2:Fill the text in title and tag parameter and in “Content field” parameter give the malicious java xss payload <script>alert(1)</script> then click on publish button.
3: View that content(TESTING).
4: The xss script “1” will be reflected on the browser.
Reference:
https://www.owasp.org/index.php/Crosssite_Scripting_(XSS)
The text was updated successfully, but these errors were encountered: