Cross-site Scripting (XSS) - Reflected in yeswiki/yeswiki


Reported on

Dec 11th 2021


Hey all,

i found that the search function of YesWiki integrates the searched term into a value attribute inside an input tag, for example if i do a search on sneaky for example, it will put the term sneaky inside a value attribute:

<input type="text" class="search-query form-control" placeholder="Rechercher..." value="sneaky" name="phrase"/>

now if i add a double quote to the searched term, it will be rendered like this:

<input type="text" class="search-query form-control" placeholder="Rechercher..." value="sneaky"" name="phrase"/>

which is an evidence of lack of any sort of encoding or sanitizing special characters which is a great opportunity to test for a reflected xss as the searched term is reflected, so let's enter our xss payload sneaky"><img src=x onerror=alert(document.cookie)>, the following payload will close the value attribute as well as the input tag and opens a new img tag which references a non-existing image, in that case an onerror event handler will triggered to execute the alert, in this case we're getting our cookies which means user's session can be hijacked.

Proof of Concept



with lack of HttpOnly flag on cookies; user's session can be hijacked easily; when a link containing the xss payload is clicked, user's cookies are sent to an attacker's server.




so the problem on the code is that you're implementing htmlspecialchars function which is the right thing but you have some puzzling in using variable names, so here you're defining $phrase parameter:

$phrase = $this->GetParameter('phrase', false);

and here you're defining a new parameter which is $paramPhrase that takes the $phrase parameter and sanitizes its value using htmlspecialchars:

$paramPhrase = htmlspecialchars($phrase, ENT_COMPAT, YW_CHARSET);

until now everything is fine, but the problem occurs in the following snippet:

<input name="phrase" type="text" class="form-control" placeholder="'.(($label) ? $label : '').'" size="', $size, '" value="', $phrase, '" >

as you can see; you're rendering the $phrase parameter's value dynamically into the value attribute, that parameter isn't sanitized at all, the right one is the $paramPhrase variable which is sanitized.

We are processing your report and will contact the yeswiki team within 24 hours. 2 months ago
We have contacted a member of the yeswiki team and are waiting to hear back 2 months ago
a month ago



thanks to reveal this issue.

  1. the trouble can be due to what you said :
  2. you are presenting errors on a website that is not UP TO DATE : we are solving this. Thanks to reveal this.
  3. Yes this can be an issue because some generated links on others parts of YesWiki does not urlencode queries solved
Jérémy Dufraisse validated this vulnerability a month ago
Moad Akhraz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jérémy Dufraisse confirmed that a fix has been merged on 0b7a58 a month ago
Jérémy Dufraisse has been awarded the fix bounty
newtextsearch.php#L30-L61 has been validated