Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stored XSS in the admin/files/edit page #935

Closed
EvanYu0816 opened this issue Feb 3, 2021 · 2 comments
Closed

Stored XSS in the admin/files/edit page #935

EvanYu0816 opened this issue Feb 3, 2021 · 2 comments

Comments

@EvanYu0816
Copy link

Hello Omeka Team!

I was looking through your application (V2.7.1), and I discovered a stored XSS bug at "admin/files/edit".
While most of the pages filter out tags that are not in the whitelist when "Use HTML" is on, "admin/files/edit" seems to allow them. My guess is that this is not the expected behavior?

POC:

  1. Create an item with a file attachment
  2. Edit the file
  3. Place <img src=x onerror=alert(1)> in one of the fields and toggle "Use HTML" to on. (An alert should pop up now, but ignore that and save changes)
  4. Access the page containing the file, and an alert should pop up.
  5. (Optional) Switch to a different account to verify that this affects all users.

Impact: client-side code execution
This bug shouldn't be very dangerous since it is only available to contributors, admins, and superusers.
The session cookie is httponly, and the csrf tokens seem to be set properly (upon first glance).
However, the XSS bug can be leveraged in many other ways, and it could increase the impact of a future vulnerability. Therefore, it's probably better to have it fixed.

Please let me know if anything is unclear, or if this is not a legitimate issue.
Thanks in advance!

@zerocrates
Copy link
Member

Thank you for the report.

It's definitely a bug. I think you're right about the fairly limited impact but we'll have this fix included in the next release, of course.

@EvanYu0816
Copy link
Author

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants