Bad Sanitization on "vtlib_purify" function leads to XSS in tsolucio/corebos

Valid

Reported on

Aug 31st 2022


Description

The whole project is using "vtlib_purify" for the sanitization of user inputs. It does a good job while stripping HTML tags like <script> <svg> etc. However, it allows <a> tag and we can use javascript protocol on the href attribute via changing : character to &colon;. So, our final payload is <a href=javascript&colon;alert(document.domain)>click

Proof of Concept

For example, the file "NewReport0" is using "vtlib_purify" for the "reportmodule" parameter and prints the user's input after sanitization. We can get the XSS using the payload above.

https://demo.corebos.com/index.php?module=Reports&action=ReportsAjax&file=NewReport0&reportmodule=%3Ca+href=javascript%26colon;alert(document.domain)%3ECLICK%20ME

We can also get stored XSS in comments. Check the https://demo.corebos.com/index.php?module=Accounts&action=DetailView&record=87 , you will see a comment created by me that includes XSS.

Impact

This vulnerability leads to XSS on many cases (100+), because the whole project is using "vtlib_purify" for sanitization on user inputs.

We are processing your report and will contact the tsolucio/corebos team within 24 hours. 2 years ago
We have contacted a member of the tsolucio/corebos team and are waiting to hear back a year ago
Joe Bordes validated this vulnerability a year ago
bugraeskici has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
We have sent a fix follow up to the tsolucio/corebos team. We will try again in 7 days. a year ago
We have sent a second fix follow up to the tsolucio/corebos team. We will try again in 10 days. a year ago
We have sent a third and final fix follow up to the tsolucio/corebos team. This report is now considered stale. a year ago
Joe Bordes marked this as fixed in 8.0 with commit aaaca6 a year ago
Joe Bordes has been awarded the fix bounty
This vulnerability has now been published a year ago
to join this conversation