Cross-site Scripting (XSS) - Stored in admidio/admidio

Valid

Reported on

Jan 13th 2022


Description

I can send a message. In the here, I can create a link. But, when i create a link, I can use an onfocus/autofocus attribute after escape the href attribute because do not processing for double quote

Proof of Concept

1. Open the https://www.admidio.org/demo_en/adm_program/system/login.php
2. Go to https://www.admidio.org/demo_en/adm_program/modules/messages/messages.php
3. Click Send Message to Anyone
4. And click the creating url button, Enter the google.com/"autofocus//onfocus="alert(document.domain and Send
5. Go to message I sended

Video : https://www.youtube.com/watch?v=4yjaSFDmhFY

Impact

Through this vulnerability, an attacker is capable to execute malicious scripts.

Occurrences

Sorry I couldn't find the code :(

We are processing your report and will contact the admidio team within 24 hours. 4 months ago
Pocas modified the report
4 months ago
We have contacted a member of the admidio team and are waiting to hear back 4 months ago
We have sent a follow up to the admidio team. We will try again in 7 days. 4 months ago
Markus
4 months ago

Maintainer


I tried to reproduce your example but when I enter that string and afterwards open the email the onfocus event is not executed. First I must click on the link. If you look today you can find my example at admidio.org/demo_en within the message from 20.01.2022 12:20

To you know what is different in my test?

Pocas
4 months ago

Researcher


Hello. When I connect with the message you just tested, onfocus works fine!

Pocas
4 months ago

Researcher


Go to https://www.admidio.org/demo_en/adm_program/modules/messages/messages_write.php?msg_uuid=77cd2795-5901-4fbc-9f41-145b7bc5523d

Markus
4 months ago

Maintainer


hmm, I use Safari and Firefox on Mac. Both didn't show the messagebox automatically. Only if I click on the link the messagebox will be shown.

Pocas
4 months ago

Researcher


Hmm... if you look at the code, you can see that it's entered correctly.

Markus Faßbender validated this vulnerability 4 months ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Markus Faßbender confirmed that a fix has been merged on 5141fd 4 months ago
Markus Faßbender has been awarded the fix bounty
messages_write.php#L341 has been validated
Markus
4 months ago

Maintainer


Thanks for the research!

to join this conversation