New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored Cross-site Scripting in Client's Name #1727

Closed
ProDigySML opened this Issue Oct 30, 2017 · 5 comments

Comments

Projects
None yet
3 participants
@ProDigySML

ProDigySML commented Oct 30, 2017

Issue

Anyone with the permission to change a client's name can use that parameter to gain arbitrary execution of javascript. Anyone who can create an invoice will be affected by this payload.

Steps to reproduce

  1. Create a client
  2. Change the client's name, first name, and last name to the following payload:
    </script><img src=x alert(1)>
  3. Go to create an invoice.
  4. Select that client. Observe an alert box has popped up.

@turbo124 turbo124 added the triage label Oct 30, 2017

@turbo124

This comment has been minimized.

Show comment
Hide comment
@turbo124

turbo124 Oct 30, 2017

Member

What browser are testing this scenario with?

I've attempted to create the issue with Chrome Version 61.0.3163.100 (Official Build) (64-bit) and have been unable to recreate it.

Member

turbo124 commented Oct 30, 2017

What browser are testing this scenario with?

I've attempted to create the issue with Chrome Version 61.0.3163.100 (Official Build) (64-bit) and have been unable to recreate it.

@ProDigySML

This comment has been minimized.

Show comment
Hide comment
@ProDigySML

ProDigySML Oct 30, 2017

@turbo124 I am using Version 61.0.3163.100 (Official Build) (64-bit) too.
I just realised I missed something in the payload, can you please try this one out?
</script><img src=x onerror=alert(1)>
Sorry about that mistake. I missed adding in the event handler...

ProDigySML commented Oct 30, 2017

@turbo124 I am using Version 61.0.3163.100 (Official Build) (64-bit) too.
I just realised I missed something in the payload, can you please try this one out?
</script><img src=x onerror=alert(1)>
Sorry about that mistake. I missed adding in the event handler...

@ProDigySML

This comment has been minimized.

Show comment
Hide comment
@ProDigySML

ProDigySML Oct 30, 2017

@turbo124 Apologies for this inconvenience, but can you please try to select the client with the malicious payloads stored when creating the invoice? That should trigger it. If that doesn't work, Ill make a step by step PoC to ensure it is verifiable... :)

ProDigySML commented Oct 30, 2017

@turbo124 Apologies for this inconvenience, but can you please try to select the client with the malicious payloads stored when creating the invoice? That should trigger it. If that doesn't work, Ill make a step by step PoC to ensure it is verifiable... :)

@turbo124

This comment has been minimized.

Show comment
Hide comment
@turbo124

turbo124 Oct 30, 2017

Member

@ProDigySML ok, i was able to recreate this now. I had to starting typing the client name for the popup to load.

Member

turbo124 commented Oct 30, 2017

@ProDigySML ok, i was able to recreate this now. I had to starting typing the client name for the popup to load.

@hillelcoren

This comment has been minimized.

Show comment
Hide comment
@hillelcoren

hillelcoren Oct 30, 2017

Member

Thanks for catching this!

Member

hillelcoren commented Oct 30, 2017

Thanks for catching this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment