-
-
Notifications
You must be signed in to change notification settings - Fork 714
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Stored Cross-site Scripting (XSS) #981
Comments
Thanks, I'll try to fix, but the next time please report security related issue privately to avoid to disclose them before a fix is available. |
Fixes #981 Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
Please try a 2.3.x variant once the CI ends. The same problem may occur on other pages, I will check before releasing the next version. Thanks |
Hi, I noticed the lightbox issue, please wait a while before testing. I have some local changes that should fix the issue everywhere
As you can see to fix the image caption I added the I'll push these changes later today after my work hours. I need some time to do proper tests. Thanks! |
Fixed also in development version |
Hi @drakkan, I've identified another XSS issue. I've outlined the details via email as requested. The newly identified XSS issue is present in the newest SFTPGo release v2.3.5. All other injection points outlined in this GitHub issue are successfully fixed in v2.3.5. |
The latest sftpgo release v2.3.4 is susceptible to XSS.
The "webclient" application lacks proper input validation and output sanitization during file uploads. In detail, an authenticated attacker can upload a malicious file with a filename that contains HTML or JavaScript code. Upon successful file upload, the attacker's payload is executed in the browser.
PoC filename used:
Note that this issue can also be exploited by using the sharing capability of sftpgo. Successful exploitation requires an attacker to craft the following exploit setup:
More information to mitigate XSS can be found at: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
The text was updated successfully, but these errors were encountered: