Cross-site Scripting (XSS) - Reflected in yeswiki/yeswiki

Valid

Reported on

Dec 11th 2021


Description

Hey all,

i found that the search function of YesWiki integrates the searched term into a value attribute inside an input tag, for example if i do a search on sneaky for example, it will put the term sneaky inside a value attribute:

<input type="text" class="search-query form-control" placeholder="Rechercher..." value="sneaky" name="phrase"/>

now if i add a double quote to the searched term, it will be rendered like this:

<input type="text" class="search-query form-control" placeholder="Rechercher..." value="sneaky"" name="phrase"/>

which is an evidence of lack of any sort of encoding or sanitizing special characters which is a great opportunity to test for a reflected xss as the searched term is reflected, so let's enter our xss payload sneaky"><img src=x onerror=alert(document.cookie)>, the following payload will close the value attribute as well as the input tag and opens a new img tag which references a non-existing image, in that case an onerror event handler will triggered to execute the alert, in this case we're getting our cookies which means user's session can be hijacked.

Proof of Concept

yeswikixss

Impact

with lack of HttpOnly flag on cookies; user's session can be hijacked easily; when a link containing the xss payload is clicked, user's cookies are sent to an attacker's server.

Best,

Moad

Occurrences

so the problem on the code is that you're implementing htmlspecialchars function which is the right thing but you have some puzzling in using variable names, so here you're defining $phrase parameter:

$phrase = $this->GetParameter('phrase', false);

and here you're defining a new parameter which is $paramPhrase that takes the $phrase parameter and sanitizes its value using htmlspecialchars:

$paramPhrase = htmlspecialchars($phrase, ENT_COMPAT, YW_CHARSET);

until now everything is fine, but the problem occurs in the following snippet:

<input name="phrase" type="text" class="form-control" placeholder="'.(($label) ? $label : '').'" size="', $size, '" value="', $phrase, '" >

as you can see; you're rendering the $phrase parameter's value dynamically into the value attribute, that parameter isn't sanitized at all, the right one is the $paramPhrase variable which is sanitized.

We are processing your report and will contact the yeswiki team within 24 hours. a year ago
We have contacted a member of the yeswiki team and are waiting to hear back a year ago
Jérémy
a year ago

@mdakh4040

thanks to reveal this issue.

  1. the trouble can be due to what you said : https://github.com/YesWiki/yeswiki/blob/1ed2d63fdeb19e919c78961a086797d65425aaec/actions/newtextsearch.php#L52
  2. you are presenting errors on a website that is not UP TO DATE : we are solving this. Thanks to reveal this.
  3. Yes this can be an issue because some generated links on others parts of YesWiki does not urlencode queries solved
Jérémy Dufraisse validated this vulnerability a year ago
Moad Akhraz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jérémy Dufraisse marked this as fixed in doryphore 2021-12-14-1 with commit 0b7a58 a year ago
Jérémy Dufraisse has been awarded the fix bounty
This vulnerability will not receive a CVE
newtextsearch.php#L30-L61 has been validated
to join this conversation