Cross-site Scripting (XSS) - Stored in admidio/admidio
Jan 13th 2022
I can send a message. In the here, I can create a link. But, when i create a link, I can use an onfocus/autofocus attribute after escape the href attribute because do not processing for double quote
Proof of Concept
1. Open the https://www.admidio.org/demo_en/adm_program/system/login.php 2. Go to https://www.admidio.org/demo_en/adm_program/modules/messages/messages.php 3. Click Send Message to Anyone 4. And click the creating url button, Enter the google.com/"autofocus//onfocus="alert(document.domain and Send 5. Go to message I sended Video : https://www.youtube.com/watch?v=4yjaSFDmhFY
Through this vulnerability, an attacker is capable to execute malicious scripts.
Sorry I couldn't find the code :(
I tried to reproduce your example but when I enter that string and afterwards open the email the onfocus event is not executed. First I must click on the link. If you look today you can find my example at admidio.org/demo_en within the message from 20.01.2022 12:20
To you know what is different in my test?
Hello. When I connect with the message you just tested,
onfocus works fine!
hmm, I use Safari and Firefox on Mac. Both didn't show the messagebox automatically. Only if I click on the link the messagebox will be shown.
Hmm... if you look at the code, you can see that it's entered correctly.
Thanks for the research!