XSS in /demo/module/?module=HERE in microweber/microweber
Apr 22nd 2022
Reflected XSS in /demo/module/?module= bypass of fix for CVE-2022-1439
Proof of Concept
In this report I showed an XSS and while one of the filter evasion mechanisms was fixed, the root cause persists to allow other payloads.
As I mentioned there are event handlers which are unblocked, so even without the <x> trick from last report, you can get XSS.
Here I use ontransitionrun, there are more and there will always come more event handlers, so a blacklist approach will fail here.
Hitting "tab" will fire the payload.
How to fix this
The html looks like this:
<div class='x module module-'ontransitionrun=alert(1) ' tabindex="1" style="transition:outline 0.001s" ...
You can not allow breaking out of the "class" attribute, so remove or encode the 's in the input. That's the main thing here.
Typical impact of XSS attacks.