Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Admin page Stored Cross-site Scripting (XSS) #459

Closed
fvi-att opened this issue Mar 13, 2018 · 5 comments
Closed

Admin page Stored Cross-site Scripting (XSS) #459

fvi-att opened this issue Mar 13, 2018 · 5 comments

Comments

@fvi-att
Copy link

fvi-att commented Mar 13, 2018

Summary

enhavo CMS has XSS security issue on the admin page.
An authorized attacker can put any kind of javascript. And it is executed on authorized victim browser without induce

Reproduction

Here is how to reproduce this issue.

  1. Access to the admin page.
  2. Create an Usergroup as payloads.
  3. Back to admin user group page.

Then you find that dialog appeared and XSS happens.

Payloads

Set Usergroup as following.

<img src=x onerror="alert(document.cookie);"/>

Event

  • 2018-03-05 Vuln is discovered.
  • 2018-03-06 Contact to developers.
  • 2018-03-13 Open an issue.
@fvi-att
Copy link
Author

fvi-att commented Mar 22, 2018

CVE-2018-8832 is assigned

@gseidel
Copy link
Member

gseidel commented May 30, 2019

This was fixed with the new UI upgrade #611

@gseidel gseidel closed this as completed May 30, 2019
@NicoleG25
Copy link

@gseidel , could you please point out what was the vulnerable file?
Thanks in advance :)

@gseidel
Copy link
Member

gseidel commented Apr 8, 2020

@NicoleG25 The problem was the file src/Enhavo/Bundle/AppBundle/Table/TableWidgetRenderer.php and parent file src/Enhavo/Bundle/AppBundle/Type/AbstractRenderer.php

The configuration set the return value as html safe (The rendering engine twig would escape dynamic values be default), which is not true for rendering the table grid, because it contains unsafe user values.

return array(
    new \Twig_SimpleFunction($this->getName(), array($this, 'render'), array('is_safe' => array('html'))),
);

The TableWidgetRenderer was removed by mentioned PR, because the rendering is forwarded to vue.js, which escape html chars by default as well, but no configuration is changing the vue.js behaviour.

@NicoleG25
Copy link

@NicoleG25 The problem was the file src/Enhavo/Bundle/AppBundle/Table/TableWidgetRenderer.php and parent file src/Enhavo/Bundle/AppBundle/Type/AbstractRenderer.php

The configuration set the return value as html safe (The rendering engine twig would escape dynamic values be default), which is not true for rendering the table grid, because it contains unsafe user values.

return array(
    new \Twig_SimpleFunction($this->getName(), array($this, 'render'), array('is_safe' => array('html'))),
);

The TableWidgetRenderer was removed by mentioned PR, because the rendering is forwarded to vue.js, which escape html chars by default as well, but no configuration is changing the vue.js behaviour.

Thank you !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants