Code Injection in microweber/microweber
Reported on
Jan 2nd 2022
Description
HTML Injection is a vulnerability in which the attacker can inject malicious html content in the webpage.
Proof of Concept
1 Admin has enabled Comments module, so that people can comment on a blog post.
2 Attacker post the following comment:
<s><marquee><h1>SOMETHING+SOMETHING
Now, observe the changes in the webpage: This html gets executed. The footer of webpage is striked out etc.
Impact
Attackers can change the structure of webpage using different tags like <marquee>, <h1>, <center>, <s> etc.
Attackers can even hide the Leave Comment button
This html code also executes in the admin panel when admin checks the comments on a post.
Occurrences
CommentController.php L27-L121
This endpoint only cleans XSS payloads and does not follow any process to clean html tags
No use of clean_html function which is being used in AdminController@saveCommentEdit in Comments module.
https://github.com/microweber/microweber/commit/51b5a4e3ef01e587797c0109159a8ad9d2bac77a
https://github.com/microweber/microweber/commit/6e9fcaa043b4211ef21a494f9892dd19ba8a572c