Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Security] Stored XSS in platform name #53

Closed
edoardottt opened this issue Feb 19, 2023 · 5 comments
Closed

[Security] Stored XSS in platform name #53

edoardottt opened this issue Feb 19, 2023 · 5 comments

Comments

@edoardottt
Copy link

Tested version: b80b09d (latest)

Steps to reproduce the vulnerability:

  • Login in the application.
  • Click on setup.
  • Click on settings.
  • Set "><img src=x onerror=alert(document.domain)> as platform name and save.
  • Logout and XSS will fire.

poc1
poc2

@Gera-IC
Copy link
Contributor

Gera-IC commented Feb 19, 2023

Hello [edoardottt], Thank you for your comment. The problem can be solved applying String.removeTags(); to remove al html tags from name in both forms that you comment before submit them.

example:
form.name = form.name.removeTags();

Sure there are some of others solutions into Total.js.

@edoardottt
Copy link
Author

don't rely on these naive solutions, there are specific libraries to sanitize input. you can use symbols in fields but simply they will be rendered as pure text and not html.

@petersirka
Copy link
Collaborator

Hi @edoardottt. Thank you for the report. I can't reproduce this issue because I think that it's related to the previous issue with the user name. I found a bug in a helper (on FE) for generating name initials.

@edoardottt
Copy link
Author

edoardottt commented Feb 19, 2023

@petersirka exactly, if in the same instance you have injected the payload in user name this issue is not exploitable (because it's impossible to reach the settings). I had to deploy a new instance from scratch.

@petersirka
Copy link
Collaborator

Closing. Again, thank you for the report.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants