Cross-site Scripting (XSS) - Stored in admidio/admidio
Reported on
Jan 13th 2022
Description
I can send a message. In the here, I can create a link. But, when i create a link, I can use an onfocus/autofocus attribute after escape the href attribute because do not processing for double quote
Proof of Concept
1. Open the https://www.admidio.org/demo_en/adm_program/system/login.php
2. Go to https://www.admidio.org/demo_en/adm_program/modules/messages/messages.php
3. Click Send Message to Anyone
4. And click the creating url button, Enter the google.com/"autofocus//onfocus="alert(document.domain and Send
5. Go to message I sended
Video : https://www.youtube.com/watch?v=4yjaSFDmhFY
Impact
Through this vulnerability, an attacker is capable to execute malicious scripts.
Occurrences
messages_write.php L341
Sorry I couldn't find the code :(
I tried to reproduce your example but when I enter that string and afterwards open the email the onfocus event is not executed. First I must click on the link. If you look today you can find my example at admidio.org/demo_en within the message from 20.01.2022 12:20
To you know what is different in my test?
Hello. When I connect with the message you just tested, onfocus works fine!
Go to https://www.admidio.org/demo_en/adm_program/modules/messages/messages_write.php?msg_uuid=77cd2795-5901-4fbc-9f41-145b7bc5523d
hmm, I use Safari and Firefox on Mac. Both didn't show the messagebox automatically. Only if I click on the link the messagebox will be shown.
Hmm... if you look at the code, you can see that it's entered correctly.