Reflected XSS in microweber/microweber

Valid

Reported on

Apr 28th 2022


Description

Bypass XSS filter on /module/

Proof of Concept

https://demo.microweber.org/demo/module/?module=admin%2Fmodules%2Fmanage&id=x"draggable="true"ondragexit=alert(1)&class=x&from_url=x

Drag something around to trigger the XSS. Might only work in FireFox.

How to fix

This is still CVE-2022-1439 basically.
I can break out of these html attributes, this time I use another parameter cuz I need a valid ?module= to get some html elements which I need to trigger this event handler, but the core bug is the same.

This affects many parameters on /module/ you can even define your own and they'll be appended as html attribs. You can not allow breaking out of these with quotes.

Maybe you can just replace " and ' here like < and >.

Impact

Executing JavaScript as the victim

We are processing your report and will contact the microweber team within 24 hours. a month ago
Finn Westendorf modified the report
a month ago
Finn Westendorf
a month ago

Researcher


https://demo.microweber.org/demo/module/?module=x%22draggable=%22true%22ondragexit=alert(1)&id=x&class=x&from_url=x&style=width:100%25;height:100

For the record here's the same bypass in the same old "module" parameter, but you have to drag somethibg else over it, e.g. a bookmark.

We have contacted a member of the microweber team and are waiting to hear back a month ago
We have sent a follow up to the microweber team. We will try again in 7 days. 25 days ago
Peter Ivanov validated this vulnerability 24 days ago
Finn Westendorf has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on 527abd 24 days ago
Peter Ivanov has been awarded the fix bounty
to join this conversation