Cross-site Scripting (XSS) - Reflected in emoncms/emoncms

Valid

Reported on

Dec 6th 2021


Description

EmonCMS 10.9.19 has 2 reflected XSS vulnerabilities:

1 - one that is executed when a user tries to generate a new app whose name contains javascript code. The vulnerability leverages the default option of display_errors within the process_settings.php file which produce unsanitized error messages.

2 - one that is executed when javascript code is injected within http headers (User-Agent, Accept-Language).

Proof of Concept A (via errors)

1 - login into the app and go to Apps > New and select one of the categories

2 - Rename the app as <script>alert()</script>

3 - Click create

An attacker can craft a link like this http://target.com/app/view?name=%3Cscript%3Ealert%28%29%3C/script%3E and send it to an authenticated user.

NOTE

To check if it was an issue due to my local instance I also tried on the instance available to the public at https://emomcms.org The test confirmed that the vulnerability exists in the default configuration.

POC public instance

https://emoncms.org/app/view?name=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E

Proof of Concept B (http headers)

1 - login into the app as admin and go to http://127.0.0.1/admin/info

2 - modify the User-Agent or Accept-Language headers of http requests sent to the above URL. For example using <script>alert()</script>

3 - The javascript code will be executed when the above url will be visited.

Example of a request

GET /admin/info HTTP/1.1
Host: 127.0.0.1
User-Agent: <script>alert(1)</script>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: <script>alert(2)</script>
Accept-Encoding: gzip, deflate
Connection: close
Cookie: EMONCMS_SESSID=sf2g647cjgji47bok647nbd4b9
Upgrade-Insecure-Requests: 1

Impact

An attacker can execute arbitrary javascript code within the session of a user/admin.

We are processing your report and will contact the emoncms team within 24 hours. a year ago
midist0xf modified the report
a year ago
midist0xf modified the report
a year ago
We have contacted a member of the emoncms team and are waiting to hear back a year ago
We have sent a follow up to the emoncms team. We will try again in 7 days. a year ago
Trystan Lea validated this vulnerability a year ago
midist0xf has been awarded the disclosure bounty
The fix bounty is now up for grabs
Trystan Lea marked this as fixed in 2.4.1 of the emoncms/app module with commit 1be633 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Trystan Lea
a year ago

Maintainer


Thanks for this midist0xf, Im a little confused on the proposed solution to this one, is the first part of the issue not the emoncms app module is allowing the <script>alert()</script> code to appear unfiltered in the URL?

The name is filtered on the server side and the app is not created if it was given such a name. I've made a small modification to the app module to filter this on the javascript side as well here: https://github.com/emoncms/app/commit/a87b66cf05598c106384cae4571bf8dea36271b3

midist0xf
a year ago

Researcher


Hi Trystan in the first occurrence of the vulnerability, from what I've seen, the issue was present due to the fact that by default display_errors option within process_settings.php file is enabled. As a consequence the application produces unsanitized error messages. In this particular case the malicious name of the app (<script>alert()</script>)was reflected in the error message. I tried to disable display_errors and I couldn't reproduce the xss.

midist0xf
10 months ago

Researcher


Hi Trsytan, is it ok for you if huntr starts the process to request a CVE related to this vulnerability? Thanks

to join this conversation