Bad Sanitization on "vtlib_purify" function leads to XSS in tsolucio/corebos
Reported on
Aug 31st 2022
Description
The whole project is using "vtlib_purify" for the sanitization of user inputs. It does a good job while stripping HTML tags like <script> <svg> etc. However, it allows <a> tag and we can use javascript protocol on the href attribute via changing : character to :.
So, our final payload is <a href=javascript:alert(document.domain)>click
Proof of Concept
For example, the file "NewReport0" is using "vtlib_purify" for the "reportmodule" parameter and prints the user's input after sanitization. We can get the XSS using the payload above.
https://demo.corebos.com/index.php?module=Reports&action=ReportsAjax&file=NewReport0&reportmodule=%3Ca+href=javascript%26colon;alert(document.domain)%3ECLICK%20ME
We can also get stored XSS in comments. Check the https://demo.corebos.com/index.php?module=Accounts&action=DetailView&record=87 , you will see a comment created by me that includes XSS.
Impact
This vulnerability leads to XSS on many cases (100+), because the whole project is using "vtlib_purify" for sanitization on user inputs.
