Cross-site Scripting (XSS) - Stored in francoisjacquet/rosariosis
Reported on
Apr 30th 2022
Description
I am able to bypass the fix in the report https://huntr.dev/bounties/4f7be1e2-b844-4def-af9f-136dcce1c349/ which caused the XSS vulnerability.
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Step to reproduce
The vulnerability exists on Firefox (not in chromium based browsers).
1.Login to the demo environment by administrator account.
2.In the left menu, go to RESOURCES -> Resources.
3.Add new record with any TITLE and in the LINK field, add this payload javascri	pt:alert(1)
4.Click on SAVE button then click the link, you will see the XSS popup.
Impact
This vulnerability has the potential to phish user to another page and trick user to steal cookies and gain unauthorized access to that user's account through the stolen cookies.
Hello @khanhchauminh
Thank you for your report. I have no idea how to prevent those new cases easily then. Any recommendations?
Hi @maintainer,
I am not good at fixing vulnerabilities however, from my point of view, I think you should use regex to filter those cases. You can search for the string 	, if it exists in the user input, then you can disable the link to that input.
Thank you for your answer. I have opted for a solution where HTML entities are first decoded. Then, they can be encoded as URL entities, so the payload is now http://[rosariosis_url]/javascri%09pt:alert(1) The fix will come in version 9.0