Cross site scripting on the login page in pimcore/pimcore
Reported on
Mar 22nd 2023
Description
Cross-site Scripting (XSS) refers to client-side code injection attack wherein an attacker can execute malicious scripts into a legitimate website or web application. XSS occurs when a web application makes use of unvalidated or unencoded user input within the output it generates.
URL encoded GET input too_many_attempts was set to Too many failed login attempts, please try again in 5 minutes.'"()%26%25<div onmouseover="alert(1)" style="position:fixed;left:0;top:0;width:9999px;height:9999px;"></div>
Proof of Concept
https://demo.pimcore.fun/admin/login?too_many_attempts=Too%20many%20failed%20login%20attempts%2C%20please%20try%20again%20in%205%20minutes.%27%22()%26%25%3Cdiv%20onmouseover=%22alert(1)%22%20style=%22position:fixed;left:0;top:0;width:9999px;height:9999px;%22%3E%3C/div%3E
Impact
Malicious JavaScript has access to all the same objects as the rest of the web page, including access to cookies and local storage, which are often used to store session tokens. If an attacker can obtain a user's session cookie, they can then impersonate that user.
Furthermore, JavaScript can read and make arbitrary modifications to the contents of a page being displayed to a user. Therefore, XSS in conjunction with some clever social engineering opens up a lot of possibilities for an attacker.
Hello,
would you have any updates regarding this XSS
Kind regards
To sanitize this code and prevent XSS vulnerabilities, you can use the htmlspecialchars function to escape any special characters in the input value before assigning it to the $params array. Here's an example: if ($request->get('too_many_attempts')) { $params['error'] = htmlspecialchars($request->get('too_many_attempts'), ENT_QUOTES, 'UTF-8'); } This will convert any special characters in the input string to their corresponding HTML entities, preventing them from being interpreted as code by the browser. The ENT_QUOTES flag is used to escape both single and double quotes, and the 'UTF-8' encoding ensures that the function works correctly with non-ASCII characters.
Hello Christian,
Can you please assign it a CVE ?
Kind regards