Cross-site Scripting (XSS) - Stored in getgrav/grav
Feb 19th 2022
(Line Feed character) in the
href attribute of
<a> tag to bypass the xss checks of
Proof of Concept
STEP 1: A low-priv user create a page with the following payload:
:alert(document.domain)">CLICK HERE TO EXPLOIT THIS XSS</a>
STEP 2: Victim visit the page and click on
CLICK HERE TO EXPLOIT THIS XSS
XSS alert will show the domain name.
Thanks for this @r0hansh . I accepted it, however this is quite a stretch to be considered a medium severity vulnerability. Looks like you have been reporting a bunch of variations of this vulnerability. We don’t really consider it as such to be honest. Getting to be able to add that content requires you already bypassed several other level of security that Grav has in place, like, for instance, logging in. The XSS detection is just a visual aid for content editors that admins can enable, and it is specifically for the optional admin plugin.
There are endless variations of what you have reported and we won’t consider them vulnerabilities going forward.
This is my
second submission to grav. Last time, you guys fixed the vulnerability and did not asked for retest. So, I tested your patch and found a bypass to exploit this vulnerability. I don't have the intent to submit same vulnerabilities again and again. It's just a bypass to what you guys fixed.
I started my research after reading this
medium severity report: https://huntr.dev/bounties/b1182515-d911-4da9-b4f7-b4c341a62a8d/. As mentioned a low-priv user, having access to create/update pages privilege can still exploit this vulnerability.
Since, it is your project, so I will respect your final decision on whether this class can be considered as a security bug or not. I will be happy to retest this bug, once you fix it.
Thanks Rohan, I might have mistakenly thought you were the author of that other report you linked as well. In my eyes we just seem to only get reports about variations of this, which is exactly the point I was making above. There are just infinite variations and it is not as critical as a report like these make it sound. It certainly is not a medium severity security issue, if anything we would consider it as a bug and happily fix if reported via GitHub.
Appreciate your research on this though! I also proceeded fixing the issue, see https://github.com/getgrav/grav/commit/3dd0cabeac9835fe64dcb4b68c658b39f1f6be2f
the fix looks good to me.