Cross-site Scripting (XSS) - Stored in typecho/typecho
May 31st 2021
Stored xss against higher level user
There is many type of role like admin,contributor etc .
So, here contributor user can write a post with xss payload and when admin open this post then xss is executed under admin account .
Or contributor can change admin password or update email address or steal session cookie etc .
💥 STEP TO REPRODUCE
1. From admin account goto
http://localhost/typecho-master/admin/manage-users.php and add a new user called user-B with contributor role .
Contributor can write a post here .\
2. Now goto user-B account and write a post with bellow xss payload as post content and save it .
xss"'><img src=x onerror=alert(document.cookie)>
now lets assume the post id is 4 .
So, if admin try to edit this post using url like
http://localhost/typecho-master/admin/write-post.php?cid=4 then xss is executed .
💥 SUGGESTED FIX
There are many way to prevent xss attack like.
You may use any sanitization library HTML-Purifier,dompurify or use urlencode(),htmlspecialchars() function .\
https://owasp.org/www-community/attacks/xss/ https://portswigger.net/web-security/cross-site-scripting https://en.wikipedia.org/wiki/Cross-site_scripting https://www.geeksforgeeks.org/how-to-prevent-xss-with-html-php/
I have contacted the maintainer via a GitHub Issue and will await their response.