Skip to content
This repository has been archived by the owner on Jan 1, 2020. It is now read-only.

(2) Reflected Cross-site scripting (XSS) vulnerabilityin REDAXO 5.6.2 #422

Closed
Balis0ng opened this issue Sep 25, 2018 · 0 comments · Fixed by #424
Closed

(2) Reflected Cross-site scripting (XSS) vulnerabilityin REDAXO 5.6.2 #422

Balis0ng opened this issue Sep 25, 2018 · 0 comments · Fixed by #424

Comments

@Balis0ng
Copy link

details

in redaxo/src/addons/mediapool/pages/index.php:32

$opener_link = rex_request('opener_link', 'string');
$opener_input_field = rex_request('opener_input_field', 'string', '');
echo $opener_input_field;
if ($opener_input_field != '') {
    $arg_url['opener_input_field'] = $opener_input_field;
    $arg_fields .= '<input type="hidden" name="opener_input_field" value="' . htmlspecialchars($opener_input_field) . '" />' . "\n";
}

The value of $opener_input_field is obtained from an HTTP request and is a string.

in redaxo/src/addons/mediapool/pages/index.php:99

<script type="text/javascript">
<!--

<?php echo $retainEventHandlers ?>

function selectMedia(filename, alt)
{
    var opener_input_field = "<?= $opener_input_field ?>";

    var event = opener.jQuery.Event("rex:selectMedia");
    opener.jQuery(window).trigger(event, [filename, alt]);
    if (!event.isDefaultPrevented()) {
        if (opener_input_field) {
            opener.document.getElementById(opener_input_field).value = filename;
        }
        self.close();
    }
}

This directly outputs $opener_input_field to the js code. Causing XSS vulnerabilities.

POC

The user directly accesses the URL if the user has logged in.
http://localhost/redaxo/index.php?page=mediapool/media&opener_input_field=%3C/script%3E%3Cscript%3Ealert(/xss/)%3C/script%3E

XSS will be triggered as shown:

Credit: ADLab of VenusTech

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant