New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
XSS vulnerability in ThirtyBees #774
Comments
I saw this earlier, I am not sure on how much of a risk this actually is. |
The risk is diminished, because planting the exploit probably requires administrator account, but otherwise it has all the consequences of an XSS attack: |
You are correct about that. We were actually talking about removing the bsql from the backend this week since once backend access is gained that whole shop is considered lost. |
Losing an administrator account is usually not as dangerous as the possibility of continuous, concealed and unrestricted execution of malicious JavaScript in all client's and administrator's browsers. Manipulation with data and manipulation with code are generally two different things. But the evaluation of security risks in your application is your choice in the end. I'm not aware of the peculiarities of thirtybees and how you deal with code/data separation. If you don't care about it anyway, than keeping the flaw in there is probably not a big difference. |
Let me start by saying I value your contribution and it will make it into the next version, especially since it is a simple change. But with that being said, once the admin account is lost, You have to assume everything is lost. Since we are a plugin / module type software, like most, once you have an admin account you have unfettered access to the database and file system. While a persistent XSS attack is bad, there are actually much worse attacks. I have seen some that started off in the back office where people "upgrade" a payment module a full version, but have added code to send them all of the credit card numbers while still charging things like normal. Because they manipulated the touch times using a shell script, no telling how long they had been in place. We do value security at thirty bees, not just for our end users, but also the customer data they collect as well. But you have to be prepared for the reality once someone gets back office access a complete system audit needs to take place. |
OK, that makes sense. Thanks for the explanation - the possibility to add plugins with code makes it clear to me. |
Yeah, while anything is that is executed through the system is sanitized, the plugins can have files that are meant to be directly accessed, like say someone compiles a plugin with a shell script file. That will give the uploader of the plugin read / write access on the whole server. There is nothing we can really write in to stop that. |
Thought about this immediately. A vulnerability in the installer is harmless, because the installer goes away right after installation, but what about all the password fields elsewhere? A customer entering a malicious password or user name and a merchant looking up this user is certainly a risk. |
Here I have two others: |
Here are five more: |
Here are the last two: |
Let me express a big THANK YOU, even if I can't move this into the code right now. Great work! |
Search configuration page allows for XSS injection attack. Related to #774
physical_uri and virtual_uri are used to construct url for various assets. We need to ensure they contain valid values only. Related to #774
Search term needs to be escaped Related to #774
Selected date range value needs to be escaped to prevent XSS injection. Related to #774
Escape id_state value before rendering it to form javascript Related to #774
We need to properly handle date filter values that are displayed in breadcrumbs in order to prevent XSS injection. Related to #774
Language fields emitted as part of form javascript needs to be properly escaped to prevent potential XSS injection Related to #774
I believe all reported issues were fixed by commits listed above. Closing |
Search configuration page allows for XSS injection attack. Related to thirtybees#774
physical_uri and virtual_uri are used to construct url for various assets. We need to ensure they contain valid values only. Related to thirtybees#774
Search term needs to be escaped Related to thirtybees#774
Selected date range value needs to be escaped to prevent XSS injection. Related to thirtybees#774
Escape id_state value before rendering it to form javascript Related to thirtybees#774
We need to properly handle date filter values that are displayed in breadcrumbs in order to prevent XSS injection. Related to thirtybees#774
Language fields emitted as part of form javascript needs to be properly escaped to prevent potential XSS injection Related to thirtybees#774
Please, see video with the exploitation:
thirtybees.zip
The text was updated successfully, but these errors were encountered: