Cross-site Scripting (XSS) - Reflected in yeswiki/yeswiki

Valid

Reported on

Dec 11th 2021

Description

Hey all,

i found that the search function of YesWiki integrates the searched term into a value attribute inside an input tag, for example if i do a search on sneaky for example, it will put the term sneaky inside a value attribute:

<input type="text" class="search-query form-control" placeholder="Rechercher..." value="sneaky" name="phrase"/>

now if i add a double quote to the searched term, it will be rendered like this:

<input type="text" class="search-query form-control" placeholder="Rechercher..." value="sneaky"" name="phrase"/>

which is an evidence of lack of any sort of encoding or sanitizing special characters which is a great opportunity to test for a reflected xss as the searched term is reflected, so let's enter our xss payload sneaky"><img src=x onerror=alert(document.cookie)>, the following payload will close the value attribute as well as the input tag and opens a new img tag which references a non-existing image, in that case an onerror event handler will triggered to execute the alert, in this case we're getting our cookies which means user's session can be hijacked.

Proof of Concept

yeswikixss

Impact

with lack of HttpOnly flag on cookies; user's session can be hijacked easily; when a link containing the xss payload is clicked, user's cookies are sent to an attacker's server.

Best,

Moad

Occurrences

newtextsearch.php L30-L61

so the problem on the code is that you're implementing htmlspecialchars function which is the right thing but you have some puzzling in using variable names, so here you're defining $phrase parameter:

$phrase = $this->GetParameter('phrase', false);

and here you're defining a new parameter which is $paramPhrase that takes the $phrase parameter and sanitizes its value using htmlspecialchars:

$paramPhrase = htmlspecialchars($phrase, ENT_COMPAT, YW_CHARSET);

until now everything is fine, but the problem occurs in the following snippet:

<input name="phrase" type="text" class="form-control" placeholder="'.(($label) ? $label : '').'" size="', $size, '" value="', $phrase, '" >

as you can see; you're rendering the $phrase parameter's value dynamically into the value attribute, that parameter isn't sanitized at all, the right one is the $paramPhrase variable which is sanitized.

We are processing your report and will contact the yeswiki team within 24 hours. 2 years ago

We have contacted a member of the yeswiki team and are waiting to hear back 2 years ago

Jérémy Dufraisse Jérémy

commented 2 years ago

Maintainer

@mdakh4040

thanks to reveal this issue.

the trouble can be due to what you said : https://github.com/YesWiki/yeswiki/blob/1ed2d63fdeb19e919c78961a086797d65425aaec/actions/newtextsearch.php#L52
you are presenting errors on a website that is not UP TO DATE : we are solving this. Thanks to reveal this.
Yes this can be an issue because some generated links on others parts of YesWiki does not urlencode queries solved

Jérémy Dufraisse validated this vulnerability 2 years ago

Moad Akhraz has been awarded the disclosure bounty

The fix bounty is now up for grabs

Jérémy Dufraisse marked this as fixed in doryphore 2021-12-14-1 with commit 0b7a58 2 years ago

Jérémy Dufraisse has been awarded the fix bounty

This vulnerability will not receive a CVE

newtextsearch.php#L30-L61 has been validated

to join this conversation