I was looking through your application (V2.7.1), and I discovered a stored XSS bug at "admin/files/edit".
While most of the pages filter out tags that are not in the whitelist when "Use HTML" is on, "admin/files/edit" seems to allow them. My guess is that this is not the expected behavior?
POC:
Create an item with a file attachment
Edit the file
Place <img src=x onerror=alert(1)> in one of the fields and toggle "Use HTML" to on. (An alert should pop up now, but ignore that and save changes)
Access the page containing the file, and an alert should pop up.
(Optional) Switch to a different account to verify that this affects all users.
Impact: client-side code execution
This bug shouldn't be very dangerous since it is only available to contributors, admins, and superusers.
The session cookie is httponly, and the csrf tokens seem to be set properly (upon first glance).
However, the XSS bug can be leveraged in many other ways, and it could increase the impact of a future vulnerability. Therefore, it's probably better to have it fixed.
Please let me know if anything is unclear, or if this is not a legitimate issue.
Thanks in advance!
The text was updated successfully, but these errors were encountered:
Hello Omeka Team!
I was looking through your application (V2.7.1), and I discovered a stored XSS bug at "admin/files/edit".
While most of the pages filter out tags that are not in the whitelist when "Use HTML" is on, "admin/files/edit" seems to allow them. My guess is that this is not the expected behavior?
POC:
<img src=x onerror=alert(1)>in one of the fields and toggle "Use HTML" to on. (An alert should pop up now, but ignore that and save changes)Impact: client-side code execution
This bug shouldn't be very dangerous since it is only available to contributors, admins, and superusers.
The session cookie is httponly, and the csrf tokens seem to be set properly (upon first glance).
However, the XSS bug can be leveraged in many other ways, and it could increase the impact of a future vulnerability. Therefore, it's probably better to have it fixed.
Please let me know if anything is unclear, or if this is not a legitimate issue.
Thanks in advance!
The text was updated successfully, but these errors were encountered: