Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis

Valid

Reported on

Apr 30th 2022


Description

I am able to bypass the fix in the report https://huntr.dev/bounties/4f7be1e2-b844-4def-af9f-136dcce1c349/ which caused the XSS vulnerability.
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Step to reproduce

The vulnerability exists on Firefox (not in chromium based browsers).
1.Login to the demo environment by administrator account.
2.In the left menu, go to RESOURCES -> Resources.
3.Add new record with any TITLE and in the LINK field, add this payload javascri	pt:alert(1)
4.Click on SAVE button then click the link, you will see the XSS popup.

Impact

This vulnerability has the potential to phish user to another page and trick user to steal cookies and gain unauthorized access to that user's account through the stolen cookies.

We are processing your report and will contact the francoisjacquet/rosariosis team within 24 hours. a month ago
François
a month ago

Maintainer


Hello @khanhchauminh

Thank you for your report. I have no idea how to prevent those new cases easily then. Any recommendations?

KhanhCM
a month ago

Researcher


Hi @maintainer,

I am not good at fixing vulnerabilities however, from my point of view, I think you should use regex to filter those cases. You can search for the string 	, if it exists in the user input, then you can disable the link to that input.

We have contacted a member of the francoisjacquet/rosariosis team and are waiting to hear back a month ago
François
a month ago

Maintainer


Thank you for your answer. I have opted for a solution where HTML entities are first decoded. Then, they can be encoded as URL entities, so the payload is now http://[rosariosis_url]/javascri%09pt:alert(1) The fix will come in version 9.0

François Jacquet validated this vulnerability a month ago
KhanhCM has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
François Jacquet confirmed that a fix has been merged on ba96fa a month ago
François Jacquet has been awarded the fix bounty
to join this conversation