Cross-site Scripting (XSS) - Stored in typecho/typecho

Valid
Reported on May 31st 2021

💥 BUG

Stored xss against higher level user

💥 IMPACT

I see there is no xss protection in post writing ,allow to execute javascript command .
There is many type of role like admin,contributor etc .
So, here contributor user can write a post with xss payload and when admin open this post then xss is executed under admin account .
So, contributor can make arbitary javascript code execution in admin account and as he can execute any javascript then contributor can change his role to admin .
Or contributor can change admin password or update email address or steal session cookie etc .

💥 STEP TO REPRODUCE

1. From admin account goto http://localhost/typecho-master/admin/manage-users.php and add a new user called user-B with contributor role .
Contributor can write a post here .\

2. Now goto user-B account and write a post with bellow xss payload as post content and save it .

xss"'><img src=x onerror=alert(document.cookie)>

now lets assume the post id is 4 .

3. Now whenever admin try to edit this post then xss is fired and javascript code will be executed in victim account .
So, if admin try to edit this post using url like http://localhost/typecho-master/admin/write-post.php?cid=4 then xss is executed .

💥 SUGGESTED FIX

There are many way to prevent xss attack like.
You may use any sanitization library HTML-Purifier,dompurify or use urlencode(),htmlspecialchars() function .\

💥 REFFERENCE

https://owasp.org/www-community/attacks/xss/ https://portswigger.net/web-security/cross-site-scripting https://en.wikipedia.org/wiki/Cross-site_scripting https://www.geeksforgeeks.org/how-to-prevent-xss-with-html-php/