The XSS playload injected in "Display Name" parameter in creating Contacts are vulnerable to Cross-Site Scripting (Stored/Persistent) in modoboa/modoboa-webmail

Valid

Reported on

Feb 13th 2023

Description

The XSS playload injected in "Display Name" parameter in creating Contacts are vulnerable to Cross-Site Scripting (Stored/Persistent).

Steps to Reproduce:

#1. First is go to the user dashboard then contacts: https://demo.modoboa.org/contacts/#/

#2. Then Add new contact, enter the payload Bounty"><script>alert(document.cookie);</script> in the Display Name as this field is not sanitized .

#3. Next, go to webmail tab and compose a new email.

#4. Lastly, type in the email address into "to" field, for this instance the email address is researcher.intigriti@gmail.com and then the stored XSS will get triggered.

#5. Please refer the POC for the same.

Proof of Concept:

Drive link of POC: https://drive.google.com/file/d/1AquPN4iQzVWVnQlrpsu9nQR3kh1ZBIee/view?usp=share_link

Payload:

Bounty"><script>alert(document.cookie);</script>

Recommendations:

Recommendation

• Mark cookies as "Secure" and "HTTP-Only" where appropriate to minimize the impact of cross-site scripting attacks.

• Before using any user-supplied data, validate its format and reject any characters that are not explicitly allowed (i.e. a white-list). This list should be as restrictive as possible.

• Before using any data (stored or user-supplied) to generate web page content, escape all non alpha-numeric characters (i.e. output-validation). This is particularly important when the original source of data is beyond the control of the application. Even if the source of the data isn't performing input-validation, output-validation will still prevent XSS. This can be done by converting characters to “&#nn;” (ignore the quotes), where “nn” is the hexadecimal ASCII character number.

Message

Hi Ladies and Gents,

I was hoping to receive and assign a CVE for the submitted vulnerability, please?

Thank you for your time.

Best Regards,

Jeffrey

Impact

Cross Site Scripting high severity issue allows a malicious user to stored malicious scripts on vulnerable page which when viewed by another user or administrator in the future would send session information or browser keystrokes to the attacker, allowing them to hijack or spy on the user's session.

We are processing your report and will contact the modoboa/modoboa-webmail team within 24 hours. 2 months ago
Jeffrey G modified the report
2 months ago
Jeffrey G modified the report
2 months ago
Jeffrey G modified the report
2 months ago
Jeffrey G modified the report
2 months ago
Jeffrey G modified the report
2 months ago
We have contacted a member of the modoboa/modoboa-webmail team and are waiting to hear back 2 months ago
Jeffrey G
2 months ago

Researcher

Hi, thank you for the update. Appreciate it.

Cheers! Jeffrey

Jeffrey G
2 months ago

Researcher

I did a quick check and found out that the "Display Name" parameter in creating Contact is vulnerable to Cross-Site Scripting.

POC links: https://drive.google.com/file/d/1x7aXjC9-2z4qmikLhXCWsJbtyetdbslO/view?usp=share_link

Cheers, Jeffrey

Antoine Nguyen validated this vulnerability a month ago
Jeffrey G has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Antoine Nguyen
a month ago

Maintainer

Here is a PR containing a fix: https://github.com/modoboa/modoboa-webmail/pull/244

Jeffrey G
a month ago

Researcher

Hi @Antoine Nguyen, is it possible to assign a CVE for the submitted vulnerability, please?

Your help is highly appreciated.

Best Regards, Jeffrey

Antoine Nguyen marked this as fixed in 1.7.2 with commit 3b3b3b a month ago
Antoine Nguyen has been awarded the fix bounty
This vulnerability will not receive a CVE
Antoine Nguyen published this vulnerability a month ago
to join this conversation