Shimmie – Cross-Site Scripting (XSS)

[bestshow]

Product: Shimmie
Download: https://github.com/shish/shimmie2
Vunlerable Version: 2.5.1 and probably prior
Tested Version: 2.5.1
Author: ADLab of Venustech

Advisory Details:
A Cross-Site Scripting (XSS) was discovered in“Shimmie 2.5.1”, which can be exploited to execute arbitrary code.
The vulnerability exists due to insufficient filtration of user-supplied data in the “log” HTTP GET parameter passed to the “shimmie2-master/ext/chatbox/history/index.php” URL. An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
The exploitation example below uses the "alert()" JavaScript function to see a pop-up messagebox:
Poc:
http://localhost/.../shimmie2-master/ext/chatbox/history/index.php?log=%27xx%27});%3C/script%3E%3Cscript%3Ealert(1);%3C/script%3E

[jgen]

Thank you very much for reporting this issue!

The change in pull-request #598 should fix this issue.

[shish]

Tempting to rewrite the chatbox from scratch, yshout is the source of so many code warnings it's no surprise some serious stuff slipped through :(

[jgen]

To be honest, that was my thought as well. Though, as I don't have much time, I went with the tactical fix.
I wonder how many people make use of the extension though? Could it possibly be removed from the main releases until it is cleaned up?

[jgen]

Well, in any case, this has been fixed on the develop branch. Hopefully, we can get a release out in the near future, which will have this fix as well. (See #599)