Skip to content
This repository has been archived by the owner on Jan 1, 2020. It is now read-only.

Reflected Cross-site scripting (XSS) vulnerability in REDAXO 5.6.2 #421

Closed
Balis0ng opened this issue Sep 25, 2018 · 1 comment · Fixed by #424
Closed

Reflected Cross-site scripting (XSS) vulnerability in REDAXO 5.6.2 #421

Balis0ng opened this issue Sep 25, 2018 · 1 comment · Fixed by #424
Assignees
Labels

Comments

@Balis0ng
Copy link

details

in redaxo/src/addons/mediapool/pages/index.php:13

global $subpage, $ftitle, $error, $success;

// -------------- Defaults
$subpage = rex_be_controller::getCurrentPagePart(2);
$func = rex_request('func', 'string');
$success = htmlspecialchars(rex_request('info', 'string'));
$error = htmlspecialchars(rex_request('warning', 'string'));
$args = rex_request('args', 'array');
$regex = '@<(/?(?:b|i|code)|br ?/?)>@i';
$success = preg_replace($regex, '<$1>', $success);
$error = preg_replace($regex, '<$1>', $error);

// -------------- Additional Args
$arg_url = ['args' => $args];
$arg_fields = '';
foreach ($args as $arg_name => $arg_value) {
    $arg_fields .= '<input type="hidden" name="args[' . $arg_name . ']" value="' . htmlspecialchars($arg_value) . '" />' . "\n";
}

It is worth noting that the value of $args here is introduced from the HTTP request. And the value is an array.
Then the $args is processed by foreach. The program uses the htmlspecialchars function to process $arg_value, but does not handle $arg_name.So an attacker can insert an attack payload at $arg_name to cause XSS.

POC

The user directly accesses the URL if the user has logged in.
http://localhost/redaxo/index.php?page=mediapool/media&opener_input_field=&args[%22%3E%3Cscript%3Ealert(1)%3C/script%3E//]=12

XSS will be triggered as shown:

Credit: ADLab of VenusTech

@staabm staabm added the bug label Sep 25, 2018
@staabm staabm self-assigned this Sep 25, 2018
@staabm
Copy link
Member

staabm commented Sep 25, 2018

thx for the report. will try to fix it, when time allows.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants