XSS in /demo/module/?module=HERE in microweber/microweber

Valid

Reported on

Apr 22nd 2022


Description

Reflected XSS in /demo/module/?module= bypass of fix for CVE-2022-1439

Proof of Concept

In this report I showed an XSS and while one of the filter evasion mechanisms was fixed, the root cause persists to allow other payloads.

As I mentioned there are event handlers which are unblocked, so even without the <x> trick from last report, you can get XSS.
Here I use ontransitionrun, there are more and there will always come more event handlers, so a blacklist approach will fail here.

https://demo.microweber.org/demo/module/?module=%27ontransitionrun=alert(1)%27%22tabindex=1&style=transition:outline%200.001s&id=x&data-show-ui=admin&class=x&from_url=https://demo.microweber.org

Hitting "tab" will fire the payload.

How to fix this

The html looks like this:

<div class='x module module-'ontransitionrun=alert(1) '   tabindex="1"   style="transition:outline 0.001s" ...

You can not allow breaking out of the "class" attribute, so remove or encode the 's in the input. That's the main thing here.

Impact

Typical impact of XSS attacks.

References

We are processing your report and will contact the microweber team within 24 hours. a month ago
We have contacted a member of the microweber team and are waiting to hear back a month ago
We have sent a follow up to the microweber team. We will try again in 7 days. a month ago
Peter Ivanov validated this vulnerability 25 days ago
Finn Westendorf has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Peter Ivanov confirmed that a fix has been merged on 1f6a4d 25 days ago
Peter Ivanov has been awarded the fix bounty
to join this conversation