stored XSS after XSS Filter Bypass through exporting an HTML-Document in thorsten/phpmyfaq

Valid

Reported on

Feb 14th 2023


Hello,

After mitigation of all submitted XSS Vulnerabilities i was able to detect another XSS and bypass the XSS Filters in the FAQ Site while generating an HTML Export.

Lets see :)


This is th XSS Paylaod with XSS Ahmed 2

Only XSS Ahmed 2 will work !

Now lets export in in HTML5 and open the file the xss alert will be fired.

As you can see this is the XSS Payload lets refresh its stored

Thank you for watching :)

Impact

Hello,

After mitigation of all submitted XSS Vulnerabilities i was able to detect another XSS and bypass the XSS Filters in the FAQ Site while generating an HTML Export.

Lets see :)


This is th XSS Paylaod with XSS Ahmed 2

Only XSS Ahmed 2 will work !

Now lets export in in HTML5 and open the file the xss alert will be fired.

As you can see this is the XSS Payload lets refresh its stored

Thank you for watching :)

We are processing your report and will contact the thorsten/phpmyfaq team within 24 hours. 7 months ago
ahmedvienna modified the report
7 months ago
thorsten/phpmyfaq maintainer has acknowledged this report 7 months ago
Thorsten Rinne gave praise 7 months ago
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
ahmedvienna
7 months ago

Researcher


yes, but it can still steal Cookies from any Administrator, including normal Users. Therefore, it should be mitigated.


I have a question, please. Can you assign the CVE to 2 Persons or more in case we worked together ?

Best Regards Ahmed Hassan

Thorsten Rinne
7 months ago

Maintainer


document.cookie is empty if you load the HTML file from the file system.

ahmedvienna
7 months ago

Researcher


yes that's true but the attacker can still do malicious attack like implementing Keylogger, implementing Login Panels, download malicious Content like Malware on the Victim PC which can be the ADMIN of course and run any scripts he wants including Ransomware attacks.

Even if the cookies can be stolen there are several attack scenarios which can be done by only allowing the attacker to execute JavaScript.

Thorsten Rinne
7 months ago

Maintainer


Great work @ahmedvienna 👌 Could you kindly propose/submit a fix for this vulnerability? Any help is appreciated.

ahmedvienna
7 months ago

Researcher


Of course this is the Process for the Vulnerability Mitigation:

Preventing XSS in HTML and PHP: Following are the methods by which we can prevent XSS in our web applications –

Using htmlspecialchars() function – The htmlspecialchars() function converts special characters to HTML entities. For a majority of web-apps, we can use this method and this is one of the most popular methods to prevent XSS. This process is also known as HTML Escaping.
    ‘&’ (ampersand) becomes ‘&’
    ‘”‘ (double quote) becomes ‘"’
    ” (greater than) becomes ‘>’
htmlentities() – htmlentities() also performs the same task as htmlspecialchars() but this function covers more character entities. Using this function may also lead to excessive encoding and may cause some content to display incorrectly.
strip_tags() – This function removes content between HTML tags. This function also does not filter or encode non-paired closing angular braces.
addslashes() – The addslashes() function adds a slash character in an attempt to prevent the attacker from terminating the variable assignment and adding the executable code at the end.
Content Security Policy (CSP) – CSP is the last option that we choose to defend against XSS attack. The use of CSP puts restrictions on the attacker’s actions. Our browser executes all the JavsScript it receives from the server, whether they be internally sourced or externally sourced. When it comes to an HTML document, the browser fails to determine whether the resource is malicious or not. CSP is an HTTP header that whitelists a set of trusted resource sources that a browser can use to determine trust in the incoming resource.

X-Content-Security-Policy: script-src 'self'
Thorsten Rinne
7 months ago

Maintainer


CSP does not work if you load a local file ;-)

Thorsten Rinne
7 months ago

Maintainer


Sorry, CSP works and is the solution.

Thorsten Rinne validated this vulnerability 7 months ago
ahmedvienna has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Thorsten Rinne marked this as fixed in 3.1.12 with commit ca75f4 7 months ago
Thorsten Rinne has been awarded the fix bounty
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Mar 31st 2023
Thorsten Rinne published this vulnerability 6 months ago
to join this conversation