You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I found a vulnerability issue while testing Friendica locally. The vulnerability allows to inject a payload in a post using BBCode tags causing a stored XSS affecting all the users that can read the post.
Vulnerability Description
The vulnerability allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
Steps to reproduce
Login to the application.
Create a new post with the following content: [url=http://www.example.com" onmouseover="alert('XSS')]text[/url]
A similar issue with possible injection using BBCode tags was solved back in the days. Currently the payload present in that issue is not executed, however it seems like it's still possible to cause an injection using a different approach as described here.
This is Friendica, version 2023.12 that is running at the web location http://localhost. The database version is 1542/1542, the post update version is 1507/1507.
Apache version: Apache/2.4.56 PHP version: PHP/8.1.27 DB version: 11.2.2-MariaDB
The text was updated successfully, but these errors were encountered:
I can't reproduce this issue. On my system the HTML gets rid of this stuff, when HTML::purify is called. There seems to be cases where the purification doesn't do what it should do. To add an additional safety layer, I created the PR #13889.
Do you get a picture of a "document" under "text" like in the screenshot I shared? The payload is triggered when hovering a mouse on that element.
I guess maybe a browser is making a difference. I tested on Firefox with default configurations.
I also tested some other fields in the application that mention BBCode support, but was able to gain successful XSS only in the post content and post comment fields.
It's not browser specific. First I tested only the BBCode parser and not the storing of attachments. I now check at some other locations as well. This should fix it.
Hello Friendica Team!
Issue detail
I found a vulnerability issue while testing Friendica locally. The vulnerability allows to inject a payload in a post using BBCode tags causing a stored XSS affecting all the users that can read the post.
Vulnerability Description
The vulnerability allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
Steps to reproduce
[url=http://www.example.com" onmouseover="alert('XSS')]text[/url]
Proof of Concept
The request:
The response
Payload triggered
More details
A similar issue with possible injection using BBCode tags was solved back in the days. Currently the payload present in that issue is not executed, however it seems like it's still possible to cause an injection using a different approach as described here.
References
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC-592: Stored XSS
Stored XSS
Cross Site Scripting Prevention Cheat Sheet
Platform Info
This is Friendica, version 2023.12 that is running at the web location http://localhost. The database version is 1542/1542, the post update version is 1507/1507.
Apache version: Apache/2.4.56
PHP version: PHP/8.1.27
DB version: 11.2.2-MariaDB
The text was updated successfully, but these errors were encountered: