Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Multiple Persistent Cross-Site Scripting Vulnerabilities #82

Closed
preethikoroth opened this issue Feb 22, 2018 · 7 comments
Closed

Multiple Persistent Cross-Site Scripting Vulnerabilities #82

preethikoroth opened this issue Feb 22, 2018 · 7 comments
Labels

Comments

@preethikoroth
Copy link

preethikoroth commented Feb 22, 2018

Description: mojoportal is prone to multiple persistent cross-site scripting vulnerabilities because it fails to sanitize user-supplied input. The 'Title' and 'Subtitle' fields of 'Blog' page are vulnerable.

Impact: Attacker can execute arbitrary code in the browser of a random user.

Affected version: all

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:P/I:P/A:P

Credit: Preethi Koroth (@p3core0ath)

Thanks.

@preethikoroth
Copy link
Author

This issue has been assigned CVE-2018-7447.

@JosephMDavis
Copy link
Member

This is not an issue because these fields are only accessible by admins and this is a content management system. As a content management system, admins have to have the ability to add scripts to their pages. Further, the content wysiwyg editors also allow admins to add scripts to a page. While it would be silly to add them to the title or subtitle fields, it's not a vulnerability.

You are effectively calling site admins attackers if you think this is a problem.

Please close the CVE.

@CrispinF
Copy link
Contributor

@JosephMDavis since it's pretty inconceivable anyone would want script in blog title or subtitle, wouldn't it be prudent to prevent execution when these are rendered on page? That would address OP's concern without any impact on mojo functionality. Or am I missing something?

@JosephMDavis
Copy link
Member

Hi Crispin,

I've already done so in my copy. I'll push to the repo soon.

I just don't think it makes sense to call this a vulnerability and give the impression mojo has a security flaw like this.

Thanks,
Joe

@CrispinF
Copy link
Contributor

@JosephMDavis agreed. And blog posts can never be created by anonymous users. But this seems like a safe and sensible change anyway.

@ElijahFowler
Copy link
Member

@CrispinF I would argue that it's not any safer or prudent, as you can still put scripts (and rightfully so) in the excerpt and and body of the post. I would agree, however, that it makes more sense to have these inputs output text only, as we can change the markup with the theme.skin.

@CrispinF
Copy link
Contributor

To clarify, @ElijahFowler I meant "sensible" as in it should help close this CVE. And I meant "safe" as in this change won't remove any useful functionality.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants